SSH Setup on Linux Machines

[wstran]

I have two questions about setting up ssh on Linux workstations:

1. Basically what I did was to setup a ssh pub key so that host A didn't require a password for ssh to host B. From host A, I used ssh-keygen -t dsa to create default named 2 keys (pairs) in ~/.ssh/ directory (id_dsa and id_dsa.pub). When prompted for paraphase, I just pressed enter to set it empty. Then I copied (scp) and appended (cat) the public key (id_dsa.pub) into host's /.ssh/authorized_keys2. Eveything is OK when I ssh from host A to host B (without asking password); however, my first question is how I can ssh from host B to host A without password.

2. Afterward, how do I set up ssh without password from host B to host C? Do I need to use ssh-keygen in both host B and C? How does this affect the ssh between host A and B?

Thanks for all ideas on how to do SSH!

 

[lgarner]

1. Same operation, in reverse. You already have the keys, just copy B's to A and append it to A's authorized_keys2. If that file doesn't exist (as it won't the first time), you'll need to chmod it 640.

2. Same again, but you only use ssh-keygen on C. No effect on previous key setups, unless you accidently overwrite authorized_keys2 (or re-run ssh-keygen on B).

 

[wstran]

Thanks lgarner for your quick answers.

Sorry that now I have another ssh question. The ssh setup I did only work for one user, but if I have some other users on the host A and B, do I need to do the same things for each of the users? Thanks!

 

[lgarner]

Yes.

Actually, you could copy the same private key, public key, and authorized_keys2 files to each user's home directory on both servers. This would work, but there's a big security issue here: each user can "ssh anotheruser@hostb" for any other user without a password.

 

[thedaver]

lgarner, dangerous advice to dispense my friend.

wstran, lgarner needed to raise the profile on "big security issue" a bit, but hopefully you appreciate the underlying exposure.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Germo]

Does this work when going from AIX server to Linux server and the other way?

 

[lgarner]

It should; I don't have AIX so I don't know.

I rarely offer advice, and when I do it's typically prefaced with statements like "I'd suggest..." or "In my opinion..." I didn't recommend sharing keys as a solution and wouldn't do so. The security problem which I clearly stated is significant (or "big").

In my opinion, users shouldn't share passwords and neither administrators nor usrs should share keys. Administrators should be aware of how public/private key authentication works, though, and this information might be useful to someone if only in an academic sense.

I do feel a bit silly forgetting an even more obvious "hack" for ssh. The ssh program allows the use of a different key than you own via the "-i" option. I think that this would be preferable in any real-world scenario that I can imagine.