Steps documented in this post were performed using two Solaris 8 machines (SUN1 and SUN2), but the same technique could be applied to other Unix varieties.
This process allows you to login from one computer to another without having to provide a password, and do it in a secure fashion.
On the Client computer, SUN1:
Generate a private and public key to be used for authentication:
Generating public/private rsa key pair.
Enter file in which to save the key (/export/home/tim/.ssh/id_rsa):
Created directory ‘/export/home/tim/.ssh’.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in /export/home/tim/.ssh/id_rsa.
Your public key has been saved in /export/home/tim/.ssh/id_rsa.pub.
The key fingerprint is:
45:d0:39:3e:24:9a:50:d6:f8:49:f9:da:46:1a:49:60 tim@SUN1
In the /etc/ssh_config file create make sure the following lines are uncommented.
<content_omitted>
RSAAuthentication yes
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_rsa
<content omitted>
Copy the /export/home/tim/.ssh/id_rsa file generated earlier to each user’s home directory ~/.ssh/id_rsa This filename is what key will be presented to the remote host “SUN2” when the ssh client connects. It is specified in the ssh_config file as the “IdentityFile” The permissions on this file must be 600.
On the Host Computer, SUN2:
Logon to the remote host and edit the /usr/local/etc/sshd_config file, make sure the following lines are uncommented:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Issue the reconfigure command to make the changes apply to the running sshd daemon.
Copy the /export/home/tim/.ssh/id_rsa.pub file generated earlier on the client machine to the remote hosts /export/home/tim/.ssh/authorized_keys file.
/export/home/tim $ /usr/local/bin/scp tim@sun1:.ssh/id_rsa.pub .ssh/authorized_keys
Warning: Permanently added ‘sun1,10.X.X.X’ (RSA) to the list of known hosts.
tim@sun1′s password: *******
id_rsa 100% 887 0.9KB/s 00:00
That is it. The client computer, SUN1 should now be able to login to the host, SUN2, without being prompted for the password.
Debugging.
To debug the client:
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for sunsales
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to sunsales [10.14.54.21] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type ‘—–BEGIN’
debug2: key_type_from_name: unknown key type ‘—–END’
debug1: identity file /export/home/d3000/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
<content omitted>
To debug the server side uncomment the following lines in /usr/local/etc/sshd_config
LogLevel DEBUG
The debug content will be logged to /var/log/authlog
