Differences between version 7 and predecessor to the previous major change of AuthorizedKeysFile.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 7 | Last edited on Monday, September 1, 2003 12:27:13 am | by AristotlePagaltzis | Revert |
| Older page: | version 6 | Last edited on Tuesday, May 27, 2003 12:33:19 pm | by JohnMcPherson | Revert |
@@ -1,39 +1,23 @@
-Used for Public/Private
key authentication by the ssh(1) client.
+!!! Generating
key pairs
-place your public key in the AuthorizedKeysFile in ~/.ssh and provided you have
ssh-agent
(1) setup correctly you shouldn't have to type in your password/keyphrase much
.
+This is what
ssh-keygen
(1) is for. Use a SSH2 key if at all possible
.
-for ssh1 keys place it in
- ~/.
ssh/authorized_keys
+ ssh-keygen -t dsa
+ # or
+ ssh-keygen -t rsa
-for ssh2
keys place it in
- ~/.ssh/authorized_keys2
+!!! Distributing public
keys
-Make sure these file are owned by
the owner (especially
not root), and their
permissions are no
more than 600
. Also make sure that ~
/.ssh is
no more than 700, or ssh will complain
and ignore
these files as being potentially unreliable
.
(unfortunately it doesn't tell
you it's complaining
, it just puts it into
syslogd(8).
+You need a __.ssh__ directory in your home on
the remote machine. This directory must
not have
permissions set to
more than 700
. Depending on whether you're using SSH1 or SSH2, keys go into __.ssh
/authorized_keys__ or __
.ssh/authorized_keys2__, respectively, which must have its permissions set to
no more than __0600__. Obviously the directoriy
and these files must be owned by the user they belong to
. If the permissions are wrong, [SSH] will refuse to read them
(without telling
you, unfortunately -
it only cries to
syslogd(8)). [Debian] provides a ssh-copy-id(1) program which does all this automagically
. Just say
-Under debian, theres a ssh-copy-id(1) program which does all this automagically, it's easy to use:
ssh-copy-id ''hostname''
-and it's all setup!
-----
-To generate a
key use ssh-keygen(1). If you can, you want
to use a ssh2 key. This can be generated with:
- ssh-keygen -t dsa
-or
- ssh-keygen -t rsa
-(depending on what type of key you want)
-
-then use
- ssh-copy-id ''hostname''
-and ya done.
+!!! Limit
key use to certain machines
-----
-! Limit key use to certain machines
-the server side
) to only
allow keys
to be used from specified host names. In
front of the
key in the .
authorized_keys file,
-you can put a list of globs
. Eg:
- from="*.com,localhost" ssh-dss XXXX....base64..keyid....= username@host
-will only allow this key to be used from localhost and .coms.
+You can tell sshd(8
) to allow a certain key
to be used only by certain hosts by putting the __
from__ keyword with a list of globs in
front of a
key in __
authorized_keys__
. Eg:
-You can also prefix a glob with a ! to negate it
.
+ from="*
.example.com,localhost" ssh-dss XXXX....base64..keyid....= username@host
-There are lots of other options, which are documented
in the man page linked
to below
.
+This will only allow this key to be used from __localhost__ and hosts
in the __.example.com__ domain. You can also prefix a glob with a !
to negate it
.
-See also
sshd(8)
+There are lots of other options documented in the
sshd(8) manpage.
