Comments on: SSH Public Key Based Authentication – Howto

By: Daniel

Daniel — Tue, 10 Jan 2012 13:58:39 +0000

Hi all,

Can perhaps anybody give me a hint for the following ssh issue?

I have machine A and machine B. (AIX machines). I’m logged in as root and wants to check/create ssh keys for some users. For example user STAFF1 has ssh keys on machine A but not on machine B I would like to create ssh keys (ssh-keygen -t rsa …)
To check if keys are already there I just would check if id_rsa and id_rsa.pub files are existing in machineb:/home/STAFF1.
The main problem is how to generate keys for / as user STAFF1 on the remote machine? My understanding is that I need to be the user when I create the keys, otherwise I would need to use su in a way that it works on a remote machine like
> ssh machineb ‘su STAFF1; ssh-keygen -t rsa…’ which doesn’t work.
Is there a command where I (as root) can create keys for another user????

I’m looking extreeeeeeeeeemly forward to here something from you :-)

Best regards from Germany,
Daniel

By: Allen Cohen

Allen Cohen — Tue, 12 Jul 2011 01:27:25 +0000

I’ve used your method to ssh without a password for a non-root user, say “user”. This works as long as I’m logged in as “user”.
But if I run as root, the following still asks for “user”‘s password.
i.e.: the following works w/o a password:
su – user
ssh host date
But the following asks to the password of “user”:
su – root
ssh user@host date

By: sakthi

sakthi — Thu, 03 Feb 2011 06:36:19 +0000

WE have a script which tries to scp to the same machine
machine1>> scp -r user@machine1:fromdir todir
As the keys are not inplace it is prompting for password. Is there any way we could automate this part by generating keys?. I would appreciate if you could give me the steps to perform the ssh.

By: Tricky

Tricky — Mon, 03 May 2010 22:39:12 +0000

> > I’m not sure if keychain would work for ssh sessions created by cronjob while you’re not logged in.
> Why not?
Maybe should have been more specific – I’m referring to keys which have a passphrase as these keys cannot be used non-interactively.

I do like the –clear now that you’ve made me aware of it. :)

By: Vivek Gite

Vivek Gite — Mon, 03 May 2010 20:48:51 +0000

> I’m not sure if keychain would work for ssh sessions created by cronjob while you’re not logged in.
Why not? We have live backup server that pulls data from 20 Linux servers using rsnapshots. rsnapshots is called from cronjobs, all you’ve to do is in your backup script:

#!/bin/bash
# get keys for ssh, rsync, rsnapshot
/usr/bin/keychain /root/.ssh/id_dsa
# start backup
rsync source dest...

All my backup server ssh keys are protected and server generally don’t go offline. I’ve the following in /root/.bash_profile

/usr/bin/keychain --clear $HOME/.ssh/id_dsa

The –clear option is very handy as it allows cron job to do password less login but all users including an intruder must provide a passphrase-key for interactive login.

HTH

By: Tricky

Tricky — Mon, 03 May 2010 20:24:11 +0000

I’m not sure if keychain would work for ssh sessions created by cronjob while you’re not logged in. A passphraseless key would work in that case except that passphraseless keys are not so good. What you could do is limit a separate passphraseless key to only be able to execute a single command:

Add a separate key to the authorized_keys file but start the line of the key with the command that will be run remotely. For example if you want to remotely execute a script called /usr/local/bin/cronjob1, put the key in as:
command=”/usr/local/bin/cronjob1″ ssh-rsa AF899EDC23…..rest-of-key…..A3C== cronjob_description@my-desktop

Then in the cronjob, ensure that the ssh session specifies that you want to use a non-default ssh key with “-i”:
0 22 * * * /usr/bin/ssh -i /home/user/.ssh/cronjob1id_rsa user@server “/usr/local/bin/cronjob1″

When the new key is used, the server will always execute the cronjob1 script even if you specify a different command. This can be useful in other ways however I think this is getting towards tutorial territory. ;)

By: Vivek Gite

Vivek Gite — Mon, 03 May 2010 09:19:13 +0000

Try keychain

By: Barun

Barun — Sat, 01 May 2010 19:14:37 +0000

Hi Vivek,

Is there any way to skip typing in the passphrase while login through ssh? For example, some cron jobs run daily, which open ssh sessions to remote machines to do something. Even to have ‘ssh-add’ executed, we need to provide the passphrase.

~ Barun.

By: Tricky

Tricky — Sat, 09 Jan 2010 15:04:24 +0000

Hi crazyswap

Try running a tcptraceroute (http://en.wikipedia.org/wiki/Tcptraceroute) to your server to confirm that the problem is not the network:
tcptraceroute server.name.or.ip 22

You may need to install tcptraceroute.

If tcptraceroute fails only on the last step then it is likely that the ssh service is not running on the server. If your server is under paid hosting, contact your hosting provider to find out what the cause is.

By: crazyswap

crazyswap — Sat, 09 Jan 2010 08:26:01 +0000

I can’t log into my server,it shows network error:connection time out.kindly help.

By: Tricky

Tricky — Thu, 22 Oct 2009 12:46:28 +0000

Hi Wanga

Likely you have not got the ssh daemon running on the computer you want to connect to, though there could be many other reasons it is not working. Could you paste any error messages you might be getting when you try to connect?

By: Wanga

Wanga — Thu, 22 Oct 2009 09:55:14 +0000

Am not able to login into another computer even after installing ssh on both computers.
It tells me the permission denied ,please try again and when i try again it doesnt log in.
And yet other people are able to use ssh comfortably. My computer is also uptodate

By: Vivek Gite

Vivek Gite — Wed, 09 Sep 2009 04:30:31 +0000

@Sreekar,

Thanks for feedback!

I’m glad to know this site helped you to understand Linux and shell scripting.

By: sreekar

sreekar — Tue, 08 Sep 2009 19:05:22 +0000

sir,
your article is very educational. i also referred your tutorial on shell scripting. The way you write in simple language makes a difficult concept also understandable. I think this is a trait of all Indian writers.

thank you for the good work

sincerely,
sreekar

By: Rajesh

Rajesh — Fri, 12 Jun 2009 06:28:52 +0000

HI Vivek,

Your article on SSH is very nice. It very helpfull for us.

Keep doing the great work

Regards,
Rajesh

By: hari

hari — Fri, 29 May 2009 07:49:16 +0000

Hi,

Please run # passwd -d login_name for each user and
then check.

regards
hari

By: sandip

sandip — Thu, 23 Apr 2009 07:04:05 +0000

hi
i hav did as u mentioned abow but it wont work it is asking for the passwd

By: Tricky

Tricky — Wed, 15 Apr 2009 18:13:05 +0000

Lol. Came back here to figure out how I did that thing ^^ before. :D

… and realised I hadn’t explained properly:
the authorized_keys2 file can contain multiple keys. By using scp, you might overwrite any previously-placed keys with a single key. By appending (using the >>) you specifically add your key to the end of the authorized_keys2 file and you won’t lose any previous keys.

By: Brendan

Brendan — Sat, 18 Oct 2008 12:51:30 +0000

Regarding using scp to copy is_rsa.pub into authorized_keys2, I don’t believe this to be a good idea if there is any chance that you need more than one user or public key to have access to the server.

In this case, rather do the following:
ssh vivek@rh9linux.nixcraft.org “cat >> .ssh/authorized_keys2″ < .ssh/id_rsa.pub

This will pipe the public key through the ssh session and append it to the existing file if it exists. Otherwise it will create the file with the contents of your id_rsa.pub

By: Shankar

Shankar — Wed, 17 Sep 2008 16:39:25 +0000

Hi Vivek,

In your step 3 as below. It will prompt for the password of user vivek on rh9linux.nixcraft.org to complete the copying of the public key.

$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2

Is there any method by which I can pass this value non-interactively.

Thanks
Shankar