SSH sshfs scp publickey authentication
This is just a model of the process, showing the key files needed, and what they contain, for ssh/sshfs/scp connections.
SSH with publickey authentication:
Client
To generate default keys - id_rsa [private key] and id_rsa.pub [public key]:
$ ssh-keygen
To regenerate a lost public key:
$ ssh-keygen -yf id_rsa > id_rsa.pub
Private keys:
'identity' only needed for protocol 1
'id_dsa' only needed for dsa/dss encryption
Moduli only needed for Diffie Hellman encryption:
$ man moduli
DESCRIPTION
The /etc/ssh/moduli file contains prime numbers and generators for use
by sshd(8) in the Diffie-Hellman Group Exchange key exchange method.
To find out where ssh default paths are:
$ cat /path/to/ssh | strings -a | grep -E "ssh_config|known_" /etc/ssh/ssh_config ~/.ssh/known_hosts
/etc/ssh/ssh_config:
If specifics are needed for different servers - place them before the 'all' options:
* [2] for example - server-2 with different client key, port, and user account:
Host server-2.com
IdentityFile ~/.ssh/SC-key
Port 2222
User <account-name>
* [3] for example - a modem/router where client publickey can't be installed to 'authorized_keys'
and so password authentication is needed:
Host 192.168.1.3
PasswordAuthentication yes
The options above are NOT overridden by the following 'all' options:
Host * IdentityFile ~/.ssh/identity # only needed for protocol 1 IdentityFile ~/.ssh/id_rsa # private key for publickey rsa authentication to server IdentityFile ~/.ssh/id_dsa # not needed if using only rsa authentication RSAAuthentication yes PasswordAuthentication no # 'yes' for host 192.168.1.3 [3], but 'no' for all others Protocol 2 # protocol 1 not used etc. with ssh_config defaults. ['User' defaults to user on client]
Server
To find out where sshd default paths are:
$ cat /path/to/sshd | strings -a | grep -E "rsa_key|authorized_keys" /etc/ssh/ssh_host_rsa_key .ssh/authorized_keys
Generate private key:
$ ssh-keygen -b 768 -P "" -f /etc/ssh/ssh_host_rsa_key
/etc/ssh/sshd_config:
Set up for protocol 2 only and publickey authenticiation - relevant defaults are shown and commented out (#):
Protocol 2 # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key # host/server private key ServerKeyBits 768 #RSAAuthentication yes #PubkeyAuthentication yes AuthorizedKeysFile /.ssh/authorized_keys # note leading '/' - default is .ssh/authorized_keys PasswordAuthentication no Subsystem sftp /path/to/sftp-server # for sshfs [or sftp] [4] etc. with sshd_config defaults.
Summary
[1] .. ssh to server:
On server we need:
sshd running as daemon or,
launched from inetd # /etc/inetd.conf: ssh stream tcp nowait root /path/to/sshd sshd -i
/etc/ssh/sshd_config
/etc/ssh/ssh_host_rsa_key # server private key
/.ssh/authorized_keys # concatenated list of client publickeys for publickey authentication
- need only rsa publickey if using only rsa authentication
On client we need:
/etc/ssh/ssh_config
~/.ssh/id_rsa # privatekey for publickey authentication
~/.ssh/known_hosts # concatenated list of host/server publickeys
[2] .. ssh to server-2 using a different key and as a different user: On client we need: ~/.ssh/SC-key # privatekey for publickey authentication on server-2 and entry [2] in /etc/ssh/ssh_config
[3] .. ssh to router using password authentication: On client we need: entry [3] in /etc/ssh/ssh_config
[4] .. using sshfs [or sftp]: On server - added to sshd_config: Subsystem sftp /path/to/sftp-server
If we want all the files in the same directory, the paths can be overridden in the 'config' files or on the command line.
There is no need to use 'ssh user@server.com' - [a] if client and server user are the same or [b] the user for server is set in ssh_config, just use 'ssh server[-2].com' ..
Use these commands for connections:
[1] ssh to server ⇒ ssh server.com
[2] ssh to server-2 ⇒ ssh server-2.com
[3] ssh to router ⇒ ssh admin@192.168.1.3 # prompts for password
[4] sshfs to server ⇒ sshfs 192.168.1.4:/ /<mount-point-on-client>
scp to server ⇒ scp file server.com:/path/to/[new-]file # needs scp installed on server
Important! - when using sshfs, make sure that all sym-links on the server are relative and not abolute, otherwise, when mounted, you will find they point to your workstation and not the required file on the server.
For first connection to server, if publickey is not in known_hosts file, the following message will appear if 'StrictHostKeyChecking ask' - the default - is set in ssh_config - ONLY accept if you are absolutely sure you have connected to the server you want ..
The authenticity of host '[server-2.com]:2222 ([192.168.1.2]:2222)' can't be established. RSA key fingerprint is 09:fe:ce:27:5e:57:89:7f:1b:29:c1:cc:5f:e9:23:38. Are you sure you want to continue connecting (yes/no)?
Examples
The file contents are then typically (most defaults omitted):
ssh_config: # Different Private keys for different servers: Host server-2.com IdentityFile ~/.ssh/SC-key Port 2222 User account-name Host 192.168.1.3 PasswordAuthentication yes Host * # RSAAuthentication yes PasswordAuthentication no # StrictHostKeyChecking ask Protocol 2
sshd_config: # sshd_config for OpenSSH-5.1p1 Protocol 2 ServerKeyBits 768 AuthorizedKeysFile /.ssh/authorized_keys PasswordAuthentication no Compression no Subsystem sftp /root/sshd/sftp-server
Server private key - ssh_host_rsa_key:
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQDAhw7G8KHK7jz4kvyJE9VVWRCgZoC8AotNITih5Jhjn5sBbndE
..
A5YVOoNhvEbCbFiobrJbTlzPFmbNVsKbjQ7Xu3eA
-----END RSA PRIVATE KEY-----
↓ [Public key]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwIcOxvChyu48+JL8jRPVVVkQoGaA
vAKLTSE4oeSYY5+baW53RKGkuKk8UDAS6SiSs+VVvPurH/wx2NX4mnmC1F74XyCQ
HegLZaT+7FlQ6UUbstBw6uudkBUh92HJLGqBFf565Ni7j5sFOgrwY7PmkWPScQnS
ZPNxSWw18xD/K48=
The above server Public key matches the first of the three keys in the following client known_hosts.
The second key is for the router and the third key is for server-2.
known_hosts: server.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwIcOxvChyu48+JL8jRPVVVkQoGaA vAKLTSE4oeSYY5+baW53RKGkuKk8UDAS6SiSs+VVvPurH/wx2NX4mnmC1F74XyCQ HegLZaT+7FlQ6UUbstBw6uudkBUh92HJLGqBFf565Ni7j5sFOgrwY7PmkWPScQnS ZPNxSWw18xD/K48= 192.168.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgwCT4WlmWtMAQPgq q0zoepEgvD9szdBSSEUtyv8jVskngwoP0AoIa2QVpK2rgD5olB7XUphDnivMupE5 XR75sDIDQKkYYiMLlvOqPvFKW+zqmaVK6zc+ddUjoc2tGl49UHxDczQry/WwKylb ft0hqFsSpZOMQRfcex1/CKIRGk77TKOd [server-2.com]:2222,[192.168.1.2]:2222 ssh-rsa AAAAB3NzaC1yc2 EAAAABIwAAAQEArbgp96ySM8vTQulENJh5zMa1w7O0IBVAThQPU+JsijPHPVBMvi r6M2QFf8vd+OhL9S7cdaHKutaxMadk0NFRo0uZyELWYhp8F1vry/PhZFDjtolq3h aoKEPrhF1Cj5UF8dst6G8ek4ngrdCzYgE+Lg7kZpSsPhcepxQZwaZZWA6wnRy5o3 LOGSD3/tQMrSae25r573xjwSvlt2dOvTPyLyLF+g/uYGiAm70KTay4uiR7r7UMll WMe3HswakB1K81xOQMAdKWMJpKu6/QVYtshfpgaSrsblTcnorJXUJUbhuPBERASt 2CyhJbMKb+1iZLyVlsPXKa2ifX1epO27NAIQ==
Client private key - id_rsa:
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArkssJOWlVYwIq/vKgrM/PWZXsaK8HWGJhhEXKijIbxu833F/
..
dFGVD991Xh7zMySTmqOvocGBheQtVsq7IMtMEHS/kdYO1BOKsDc=
-----END RSA PRIVATE KEY-----
↓ [Public key]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArkssJOWlVYwIq/vpgrM/PWZXsaK8
HWGJhhEXKijIbxu833F/PaQckizy1fU2dGrlyKdoDxoibCGMex/2AhNdicHotD/a
bFDK2w/sJ+Dd1jkXvLoGTwjL/DuHl9ErsvrQffFD1K0ztzrSKkF7Dek8cGgQoZkv
laoLY8PWd0gJzCJOHNdoDAV89XQshTlhYJIgty9nMQ48MqGTKnLuW0ExswNi7S4t
FFf0Soza4AXjvaDQlYOo1heHHxgYIQfbdxLYNP41ftf45CYmkKiYuRAQcFBnCH+/
M6ckFFs86wX/oJC3JBpDk0rthYyTVeKPKTc6q6rdpVnyBBP11wK/0+Zaiw==
The above client Public key matches the key in the following server authorized_keys.
The comment 'user@client' is an identifier for human use which can be added/changed as required.
authorized_keys: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArkssJOWlVYwIq/vpgrM/PWZXsaK8 HWGJhhEXKijIbxu833F/PaQckizy1fU2dGrlyKdoDxoibCGMex/2AhNdicHotD/a bFDK2w/sJ+Dd1jkXvLoGTwjL/DuHl9ErsvrQffFD1K0ztzrSKkF7Dek8cGgQoZkv laoLY8PWd0gJzCJOHNdoDAV89XQshTlhYJIgty9nMQ48MqGTKnLuW0ExswNi7S4t FFf0Soza4AXjvaDQlYOo1heHHxgYIQfbdxLYNP41ftf45CYmkKiYuRAQcFBnCH+/ M6ckFFs86wX/oJC3JBpDk0rthYyTVeKPKTc6q6rdpVnyBBP11wK/0+Zaiw== user@client