Re: OpenSSH-2.1.1p1-1 RSA Authorization

[Charles Curley]

On Mon, Oct 30, 2000 at 01:40:29PM +0100, Markus Friedl wrote:
> On Sun, Oct 29, 2000 at 01:31:19PM -0700, Charles Curley wrote:
> > On Fri, Oct 27, 2000 at 07:27:26PM -0700, Erick Mechler wrote:
> > > id_dsa is the default name of the dsa key (used for ssh v2).  If tell
> > > openssh not to use v2, then ssh will use $HOME/.ssh/identity{.pub}.
> > > If you use v2, then it looks for $HOME/.ssh/id_dsa{.pub}.  To create a
> > > dsa keypair, do "ssh-keygen -d".
> > 
> > I generated key pairs on both machines, and could not get it to work.
> 
> you don't need to generate key pairs on _both_ machines.

Right. Apparently I was confused as to who had to have keys.

These are the files you have to have on the server, i.e. the machine you
want to log into:

root@server # pwd ; ll
/root/.ssh
total 3
drwxr-xr--    2 root     root         1024 Oct 30 10:50 .
drwxr-x---    7 root     root         1024 Oct 30 10:47 ..
-rw-r--r--    1 root     root          603 Oct 30 10:20 authorized_keys2


On the client machine, the one you want to log in from, you need:

root@charlesc # pwd ; ll
/root/.ssh
total 12
drwxr-xr--    2 root     root         1024 Oct 30 10:49 .
drwxr-x---   32 root     root         4096 Oct 30 10:50 ..
-rw-------    1 root     root           13 Oct 27 08:03 config
-rw-------    1 root     root          668 Oct 29 12:40 id_dsa
-rw-------    1 root     root          603 Oct 29 12:40 id_dsa.pub
-rw-------    1 root     root          528 Oct 27 08:21 identity
-rw-------    1 root     root          332 Oct 27 08:21 identity.pub
-rw-------    1 root     root          669 Oct 28 21:00 known_hosts
-rw-------    1 root     root          609 Oct 27 08:04 known_hosts2


I have experimented with an ssh2 only setup. If you don't need ssh1, you
can get rid of known_hosts and the two identity files. I suspect that they
are harmless, but to use an ancient Chinese aphorism I coined several
months ago, if it isn't there, it can't be cracked.

> 
> you have to copy the private key file ($HOME/.ssh/identity,
> $HOME/.ssh/id_dsa) to the client machine and append the public key
> file ($HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub) on the server
> machine to $HOME/.ssh/authorized_keys and $HOME/.ssh/authorized_keys2
> respectively.

That appears to work. Two more things you may have to do, depending on
your umasks, is:

on the client:

chmod 600 *

on the server:

chmod 644 authorized_keys*

-- 

                -- C^2

No windows were crashed in the making of this email.

Looking for fine software and/or web pages?
http://w3.trib.com/~ccurley

PGP signature