Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Adserg on May 16, 2003, 03:20:39 PM
-
Hello All
Can anyone help here?
I have two sme boxes here a 4.1.2 box and a 5.1.2 box both in a test enviroment coping a customer setup. He wants to use Rsync to sync both server together.
I have asked this before and done quite a bit of searching but i am still having this problem three months down the line.
I need to be able to ssh to the 5.1.2 box without being prompted by a password.
Below is how i have tried to do it.
=========================
ssh-keygen -t dsa (accepted default user and no password)
cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys
scp ~/.ssh/id_dsa.pub asergent@172.31.4.2:~/.ssh/authorized_keys2
(asergent@172.31.4.2 password)
chmod 0700 ~/.ssh/authorized_keys
(now do the same on the receiving machine)
ssh asergent@172.31.4.2 ~/.ssh/authorized_keys2
(asergent@172.31.4.2 password)
rm ~/.ssh/id_dsa ~/.ssh/id_dsa.pub
I then try to login to asergent@172.31.4.2 but still prompts me with a password.
I need to get in without putting a password in. Does this need to be run from both ends?
Above commands taken from following site: http://slowest.net/docs/howtos/ssh/ssh-auto-login.html
I really could do with some help here.
Kindest Regards
Adserg
-
Are you removing your private key in that last command? That could be a bit of a problem if you then try to authenticate with it. Also, if you're only going to connect from the 4.1.2 to the 5.1.2, there's no use putting the 4.1.2's or 5.1.2's public key in the 4.1.2's authorized_keys2. You only need to put the 4.1.2's public key in the 5.1.2's authorized_keys (indeed, this got changed somewhere along the line) and KEEP the 4.1.2's private key on the 4.1.2.
-
Another thing to keep in mind is that the permission mode of authorized_keys can be no greater than 600 and must be owned by the authenticating user.
-
Hi Robert
could you give me an example with what ive put down on the previous page?
i have about 3 examples here all slightly different, I have used the example from the Dungog site also.
Thanks for the reply Robert
-
Robert i dont think thats what i am doing any suggestions?
Roberts reply below.
===================================================
Also, if you're only going to connect from the 4.1.2 to the 5.1.2,
there's no use putting the 4.1.2's or 5.1.2's public key in the 4.1.2's authorized_keys2.
You only need to put the 4.1.2's public key in the 5.1.2's authorized_keys
(indeed, this got changed somewhere along the line) and KEEP the 4.1.2's private key on the 4.1.2.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Robert this seemed ok to me? i'll put the server versions beside easch statement, maybe i have confused you, my appologies if i have.
SME 4.1.2 to 5.1.2
ssh-keygen -t dsa (accepted default user and no password) (4.1.2)
cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys (4.1.2)
scp ~/.ssh/id_dsa.pub asergent@172.31.4.2:~/.ssh/authorized_keys2 (5.1.2)
(asergent@172.31.4.2 password)
chmod 0700 ~/.ssh/authorized_keys (4.1.2)
(now do the same on the receiving machine)
ssh asergent@172.31.4.2 ~/.ssh/authorized_keys2 (5.1.2)
(asergent@172.31.4.2 password)
rm ~/.ssh/id_dsa ~/.ssh/id_dsa.pub (4.1.2)
I then try to login to asergent@172.31.4.2 but still prompts me with a password.
I need to get in without putting a password in. Does this need to be run from both ends?
I was also thinking that using a username@ipaddress might be up setting things abit.
Thanks again Robert for your help.
-
Let's call the machine running the ssh client for the connection "client", and the one running the ssh server "server". On "client" do:
[adserg@client]$ ssh-keygen -t dsa
This will put two files in ~/.ssh/ on "client", namely id_dsa, which is your private key, and id_dsa.pub, which is your public key. Now copy ~/.ssh/id_dsa.pub to your home directory on "server" either with scp or with sftp (Don't copy it straight to ~/.ssh/authorized_keys on "server" as that will overwrite the file and make you lose all previous entries). Now ssh to "server" from "client", and on "server" do:
[adserg@server]$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
[adserg@server]$ chmod 600 ~/.ssh/authorized_keys
Close ssh connection and try to connect from "client" to "server". Should work without a password or passphrase if you didn't specify one.
-
>Robert this seemed ok to me? i'll put the server versions beside easch statement, >maybe i have confused you, my appologies if i have.
>
>SME 4.1.2 to 5.1.2
>
>ssh-keygen -t dsa (accepted default user and no password) (4.1.2)
>
Correct.
>cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys (4.1.2)
>
This allows you to use public key authentication between the ssh client running on localhost and the ssh server running on localhost (Well, it would if you copied to authorized_keys2). Probably not what you're after.
>scp ~/.ssh/id_dsa.pub asergent@172.31.4.2:~/.ssh/authorized_keys2 (5.1.2)
>(asergent@172.31.4.2 password)
>
Almost correct. The ssh server on 5.1.2 expects all authorized keys to be in authorized_keys. It's the ssh server on 4.1.2 that expects the ssh2 keys to be in authorized_keys2 and the ssh1 keys in authorized_keys.
>chmod 0700 ~/.ssh/authorized_keys (4.1.2)
>
No, you don't need authorized_keys on the client machine.
>(now do the same on the receiving machine)
>
Yes, almost. make it chmod 600.
>ssh asergent@172.31.4.2 ~/.ssh/authorized_keys2 (5.1.2)
>(asergent@172.31.4.2 password)
>
You're trying to run the command "authorized_keys2" here. Not sure what you think that would do.
>rm ~/.ssh/id_dsa ~/.ssh/id_dsa.pub (4.1.2)
>
Of course it will never work if you throw away the key!
>I then try to login to asergent@172.31.4.2 but still prompts me with a password.
>I need to get in without putting a password in. Does this need to be run from both >ends?
>
See if setting it up correctly helps anything.
>I was also thinking that using a username@ipaddress might be up setting things abit.
>
It might if the keypair is for a different user than the one you're trying to connect as.
-
Adserg wrote:
> I have two sme boxes here a 4.1.2 box and a 5.1.2 box both in
> a test enviroment coping a customer setup.
Both of those versions are beyond end-of-liet. Nobody is producing security updates for them, and they both have known security flaws.
Charlie
-
Try the ssh keys and expect packages from here:
http://www.ifost.org.au/~peterw/
(adds a server manager panel that automates the process)
The unison package is also very useful
-
Yup i know charlie that why they are both sitting behind smoothwall.
This is simply an internal process. This customer is very happy with 4.1.2 which was put in to replace his NT server and it's run everyday without a hitch. The customer sees no need to change anything and it's just acting as a file and print server. the 5.1.2 server was facing the outside world but not anymore. After i read on this forum that 5.1.2 should now be considerd unsecure i changed it.
The 5.1.2 server is just going to act as a rsync server with disks being taken of site.
As always thank you all very much for all of your input Robert,Derek,Charlie
-
This is what works for me, have tried it several times just to be sure:
++++++++++++
Step1 Create Users:
"What I did here was on server1 and server2 created a user through the Server
Manager called "rsa" "
Step2 Give both users shell access:
"I then used the Server Manager User Shell contrib to give the rsa users shell
access (I did not know how to do it from command line)"
Step3 Create Keys:
Using Putty I logged into the remote server as the user "rsa" and mkdir ~/.ssh
and logged back out.
Using Putty I logged into the local server as the user "rsa" and mkdir ~/.ssh
(It was also explained to me that the ~ saves having to enter the entire path to
the home directory.)
(IE entering mkdir ~/.ssh is the same as entering mkdir
/home/e-smith/files/users/rsa/.ssh)
Step4 Use the program ssh-keygen to create your encryption keys :
Still logged into the local server as user "rsa" cd to ~/.ssh
ssh-keygen -t rsa [accept file name id_rsa][don't enter a passphrase] ( you
should end up hitting enter 3 times)
Step5 Copy the public key to the remote server:
scp id_rsa.pub remote.server.net:.ssh/local.pub
A comment about the authenticity of remote.server.net can't be established.
RSA key fingerprint is (whole bunch of characters)
Are you sure you want to continue connecting (yes/no)
I selected yes.
Then a warning message comes up about permanently adding remote.server.net
(RSA) to the list of known hosts.
It then prompts your for the rsa user on the servers password, enter that and it
copies the key.
Step6 slogin to the remote server and add you public key to the file
authorized_keys:
Still logged into the local server using putty.
slogin remote.server.net, and enter the password. It will authenticate and you
will now be logged in to the remote server.
cd .ssh
cat local.pub >> authorized_keys
logout of remote.
Now you should be able to slogin to the remote server from the local server
without being prompted for your password.
Hope this helps.
Dan
-
Thanks Dan
Again really usefull.
Cheers.
All working now cheers all.
Adserg