Antonello Piemonte
email (remove the pig noise): apiemont at SNORT googlemail dot com
One of the most useful features of SSH is the possibility of setting it up in a way that does not require to type in a password, much in the same way it used to be with the obsoleted r-commands (rlogin, rsh and rcp).
For example if a user has an account called user1 on a machine called box1 and wants to set up a ssh login from that machine to an account called user2 on another machine called box2, only two simple steps are required: first create you private and public keys (if you have not done so already) on box1 and then copy the public key on the machine box2.
If you have already generated ssh keys you should find them in your ~/.ssh directory
on box1. There are two possible key pairs depending on the algorithm used at generation time. This
can be either DSA or RSA. The first creates the following pair id_dsa (private key) and
id_dsa.pub (public key, note the .pub at the end). The second creates this other pair
id_rsa (private key) and id_rsa.pub (public key). So, if you have at least one
of the key pairs (private and public) you can skip the first step and proceed to the second and
last one. Otherwise the first step is accomplished with this command to use DSA keys:
user1@box1~> ssh-keygen -t dsaor this command to use RSA keys:
user1@box1~> ssh-keygen -t rsaEither way, the ssh-keygen program will ask for a passphrase, just hit the "Enter" key (unless you want to use a passphrase for increased security). This creates the key pair and puts them in
~/.ssh/.
Always remember to not distribute the private key to anyone, anywhere, by any mean!
The second step consists in placing a public key on the remote computer box2. The
contents of that file must be appended to the file .ssh/authorized_keys on the remote account.
This implies that the .ssh is already existing on the remote machine box2, if not the
easiest way to create it is to login on box2 and perform a ssh login from there to any other machine.
This way the .ssh directory is created with the appropriate permissions and ownership.
Now back the second step: it can be done either manually by appending the content of your public key, but that's is tedious, especially when you manage many different accounts on different machines. Therefore a more elegant way is by typing (on box1):
user1@box1~> cat ~/.ssh/id_dsa.pub | ssh user2@box2 "cat >> .ssh/authorized_keys"this command will do all at once, i.e. appending the content of the box1 public key to the proper file on box2. After this, try again
user1@box1~> ssh user2@box2no password should be required from now on. The same holds for copying files, for example this
user1@box1~> scp -r ~/path/to/somedir/ user2@box2:~/else/where/will place a recursive copy of
somedir from box1 as /else/where/somedir/ on box2
without asking for a password.
Still confused? Well, think of it this way: with the r-commands (rlogin etc etc ..)
one needs to add the username and host on the remote machine .rhosts file, whereas with
Secure Shell one needs to add the local public key on the remote machine
.ssh/authorized_keys file.
Let's assume that you need to move data between two computers but you cannot do it directly for some special reason. So what people normally do, is to copy data from one host to an intermediate one (a gateway) and than again from the gateway to the final one, a quite tedious process.
However, with the aid of Secure Shell we can automate this, creating a so called ssh tunnel. Suppose that rivendell is your private laptop, which you can put only in the external network of your organization, meaning, it cannot connect directly to hosts in the internal network. The other actors of the drama are the gateway machine, which allows you to get into the internal network (let's call it moria), and a target machine within the internal network (let's call it mordor). So if I want to go from rivendell to mordor, you have to pass through moria. Does it sound familiar? Good! :-) a little ASCII art to visualize the situation
rivendell <--- moria (gateway) ---> mordor
First step: on rivendell you open the tunnel by typing in a terminal
rivendell$ ssh -L 22222:mordor:22 moriayou will be asked for your moria's password, and then you are logged into moria. Now leave this terminal open, and on another one (also on rivendell) type
rivendell$ ssh -p 22222 localhostenter your password for mordor, and you will get into it! What you just achieved is to go from rivendell to mordor, using a tunnel through moria. On rivendell you can put an alias like this
alias sshmordor "ssh -p 22222 localhost" into you
.bashrc (if you use the bash shell). Note that here I am assuming
the TCP port 22222 is not already used by some other program. You can get a list
of used TCP port on rivendell by typing (for example)
rivendell$ netstat -ntl | awk '{print $4}'| cut -d: -f2
The point is to use some not used high port.
To move interactively data back and forth between rivendell and mordor, after you setup the tunnel, you can use one of those commands
rivendell$ lftp fish://username@localhost:22222 rivendell$ sftp -oPort=22222 localhostagain you will be asked for mordor's passwords.
Note that you can define multiple tunnels in a single command, e.g.
rivendell$ ssh -L 22222:mordor:22 -L 22333:mirkwood:22 -L 22444:lorien:22 moriaso you can connect to the different places bu just changing the ssh port, e.g. you will get respectively into mordor, mirkwood or lorien with
rivendell$ ssh -p 22222 localhost rivendell$ ssh -p 22333 localhost rivendell$ ssh -p 22444 localhostI recommend using lftp for its advanced features (supports encrypted connections, has many bultin commands with tab command auto completion, automatic resume of interrupt downloads and more, see the manual page or here). One last tip, if you happen to have a recent enough KDE desktop, you can type
fish://username@localhost:22222 in the Konqueror location bar and use
the file manager to copy data. Enjoy!
| This page last modified March 13, 2005 |
 |
 |