Manually configuring and passwordless ssh


Manually configuring and passwordless ssh
Prev	Appendix E. Configuring the secure shell or the remote shell for communications	Next

The ssh program enables you to log into and execute commands on a remote system. ssh enables encrypted communications and an authentication process between two untrusted hosts over an insecure network.

In this procedure, you first create a DSA key pair. From the key pair, you append the public key from the source system to the authorized_keys file on the target systems.

Figure: Creating the DSA key pair and appending it to target systems illustrates this procedure.

Figure: Creating the DSA key pair and appending it to target systems

Read the ssh documentation and online manual pages before enabling ssh. Contact your operating system support provider for issues regarding ssh configuration.

Visit the OpenSSH website that is located at: http://openssh.org to access online manuals and other resources.

To create the DSA key pair

On the source system (system1), log in as root, and navigate to the root directory.
```
system1 # cd /
```
To generate a DSA key pair on the source system, type the following command:
```
system1 # ssh-keygen -t dsa
```
System output similar to the following is displayed:
```
Generating public/private dsa key pair.
Enter file in which to save the key (//.ssh/id_dsa):
```
Press Enter to accept the default location of /.ssh/id_dsa.
When the program asks you to enter the passphrase, press the Enter key twice.
```
Enter passphrase (empty for no passphrase):
```
Do not enter a passphrase. Press Enter.
```
Enter same passphrase again:
```
Press Enter again.
Make sure the /.ssh directory is on all the target installation systems (system2 in this example). If that directory is not present, create it on all the target systems and set the write permission to root only:
```
system2 # mkdir /.ssh
```
Change the permissions of this directory, to secure it.
```
system2 # chmod go-w /.ssh
```

To append the public key from the source system to the authorized_keys file on the target system, using secure file transfer

Make sure the secure file transfer program (SFTP) is enabled on all the target installation systems (system2 in this example).
To enable SFTP, the /etc/ssh/sshd_config file must contain the following two lines:
```
PermitRootLogin           yes
  Subsystem          sftp      /usr/lib/ssh/sftp-server
```
If the lines are not there, add them and restart ssh.
To restart ssh on Solaris 10, type the following command:
```
system1 # svcadm restart ssh
```
From the source system (system1), move the public key to a temporary file on the target system (system2).
Use the secure file transfer program.

In this example, the file name id_dsa.pub in the root directory is the name for the temporary file for the public key.

Use the following command for secure file transfer:
```
system1 # sftp system2
```
If the secure file transfer is set up for the first time on this system, output similar to the following lines is displayed:
```
Connecting to system2 ...
The authenticity of host 'system2 (10.182.00.00)' 
can't be established. DSA key fingerprint is
fb:6f:9f:61:91:9d:44:6b:87:86:ef:68:a6:fd:88:7d.
Are you sure you want to continue connecting (yes/no)?
```

Enter yes.

Output similar to the following is displayed:

Warning: Permanently added 'system2,10.182.00.00' 
(DSA) to the list of known hosts.
root@system2 password:

Enter the root password of system2.
At the sftp prompt, type the following command:
```
sftp> put /.ssh/id_dsa.pub
```
The following output is displayed:
```
Uploading /.ssh/id_dsa.pub to /id_dsa.pub
```
To quit the SFTP session, type the following command:
```
sftp> quit
```
To begin the ssh session on the target system (system2 in this example), type the following command on system1:
```
system1 # ssh system2
```
Enter the root password of system2 at the prompt:
```
password:
```
After you log in to system2, enter the following command to append the id_dsa.pub file to the authorized_keys file:
```
system2 # cat /id_dsa.pub >> /.ssh/authorized_keys
```
After the id_dsa.pub public key file is copied to the target system (system2), and added to the authorized keys file, delete it. To delete the id_dsa.pub public key file, enter the following command on system2:
```
system2 # rm /id_dsa.pub
```
To log out of the ssh session, enter the following command:
```
system2 # exit
```
When you install from a source system that is also an installation target, also add the local system id_dsa.pub key to the local authorized_keys file. The installation can fail if the installation source system is not authenticated.
To add the local system id_dsa.pub key to the local authorized_keys file, enter the following command:
```
system1 # cat /.ssh/id_dsa.pub >> /.ssh/authorized_keys
```
Run the following commands on the source installation system. If your ssh session has expired or terminated, you can also run these commands to renew the session. These commands bring the private key into the shell environment and make the key globally available to the user root:
```
system1 # exec /usr/bin/ssh-agent $SHELL
system1 # ssh-add
```
```
  Identity added: //.ssh/id_dsa
```
This shell-specific step is valid only while the shell is active. You must execute the procedure again if you close the shell during the session.

To verify that you can connect to a target system

On the source system (system1), enter the following command:
```
system1 # ssh -l root system2 uname -a
```
where system2 is the name of the target system.
The command should execute from the source system (system1) to the target system (system2) without the system requesting a passphrase or password.
Repeat this procedure for each target system.

Prev	Up	Next
About configuring secure shell or remote shell communication modes before installing products	Home	Restarting the ssh session