HowTo enable SSH/SCP via Key Authentication Pete Nesbitt June 2002 This document is intended as a guide to using Key Authentication, enabling secure remote system access without user intervention. This process can be used to allow scripts to interact seamlessly with remote systems. Assumptions: -both systems run OpenSSH with compatible version numbers. (or both commercial SSH) -both systems have a user "backup" (or whatever, but it must be the same UserName on both systems) -this document is based on an implimentation involving a Windows server, a Linux host and a Solaris host. All 3 systems are using OpenSSH 3.1 (or 3.1p1) and all 3 have a user named "backup". Important: -It is possible to have both OpenSSH and the commercial version installed on the same system, allowing interaction with servers using either solution. If both OpenSSH & SSH (commercial) are present you MUST fully qualify the paths to the ssh realated utilities when at the prompt or writting scripts. (scp, ssh-keygen, sftp...) The keys generated by Open vs com SSH are in different formats and will not authenticate each other. OpenSSH can be forced to make commercial style keys but commercial SSH will not create OpenSSH style keys. On the local host: 1) As the user backup, generate a new key set with no password: "ssh-keygen -t dsa" -when prompted for a passphrase or password, just hit enter. -The lack of a password or pass phrase can cause some concern and it is questionable if this should be used outside the trusted environment. This does not effect any ssh/scp based communication with other servers although the same public key could be placed on numerous machines allowing seamless interaction via either ssh or scp. At this point we should restrict ourselves to systems within our network. On the remote host: 1) If the server is a Windows box, the user must be "set up" to work with ssh. That requires adding them to the ssh password file, which is equiv to a Unix /etc/passwd. From the '/ssh' dir inside the ssh install dir, run: "mkpasswd -l -u <username> ..\etc\passwd" This only needs to be done once, not for each host that is using the "backup" user on the server. 2) Copy the resulting public key from the client (typically /home/backup/.ssh2/id_dsa.pub) to the remote target system. The file can be transfered via scp, ftp or even floppy transfer, but if you use floppy make sure there are no line returns in the resulting key, as they can cause problems between dis-similar systems (use text-pad or notepad or vi or...to edit the key file). If the authentication file exists, just append to it, if not create the file and copy the key into it. The authentication file on the remote server will be named: -on a remote Unix/Linux box it will be in /home/backup/.ssh2/authorized_keys file. (or /export/home...) -on a remote Windows box, find the .ssh file (on my install it was in "C:/Program Files/NetworkSimplicity/ssh/.ssh" and create or append the "authorized_keys" file (not authorized_keys2). 3) On a Windows server it is a good idea to stop/start the ssh daemon, although I am not sure it is actually necessary. Notes: 1) For some reason using: "scp filename backup@remotehost:/dir/" does not work. You must be logged in as "backup" or "su -" to the same user as the key was generated for. This may require further research as it severly hampers usability. 2) When checking the vendor of SSH use: "ssh -V" The output will be similar to either: OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f (this is the Open SSH) or ssh2: SSH Secure Shell 3.1.2 (non-commercial version) on i686-pc-linux-gnu (this is the commercial version but it says non-commercial because of our institution type and the license plan) 3) The client only needs to create one key set. After that the clients "Public Key" may be placed on any server. The server's key authentication file, for any particular user, can contain public keys from an number of machines which access it as that user. Resources: www.ssh.com (Commercial SSH) www.openssh.org (Open SSH) www.networksimplicity.com/openssh/ (the site for Windows OpenSSH server)