HowTo enable SSH/SCP via Key Authentication                                    


Pete Nesbitt
June 2002


This document is intended as a guide to using Key Authentication, enabling secure 
remote system access without user intervention. This process can be used to allow 
scripts to interact seamlessly with remote systems.


Assumptions:
-both systems run OpenSSH with compatible version numbers. (or both commercial SSH)
-both systems have a user "backup" (or whatever, but it must be the same UserName 
on both systems)
-this document is based on an implimentation involving a Windows server, a Linux 
host and a Solaris host. All 3 systems are using OpenSSH 3.1 (or 3.1p1) and all 3 
have a user named "backup".

Important:
-It is possible to have both OpenSSH and the commercial version installed on the 
same system, allowing interaction with servers using either solution. If both OpenSSH 
& SSH (commercial) are present you MUST fully qualify the paths to the ssh realated 
utilities when at the prompt or writting scripts. (scp, ssh-keygen, sftp...) The keys 
generated by Open vs com SSH are in different formats and will not authenticate each 
other. OpenSSH can be forced to make commercial style keys but commercial SSH will 
not create OpenSSH style keys.

On the local host:
1) As the user backup, generate a new key set with no password:
"ssh-keygen -t dsa"
  -when prompted for a passphrase or password, just hit enter.
  -The lack of a password or pass phrase can cause some concern and it is questionable 
if this should be used outside the trusted environment. This does not effect any 
ssh/scp based communication with other servers although the same public key could be 
placed on numerous machines allowing seamless interaction via either ssh or scp. At 
this point we should restrict ourselves to systems within our network.

On the remote host:
1) If the server is a Windows box, the user must be "set up" to work with ssh. That 
requires adding them to the ssh password file, which is equiv to a Unix /etc/passwd. 
From the '/ssh' dir inside the ssh install dir, run:
"mkpasswd -l -u <username> ..\etc\passwd"
This only needs to be done once, not for each host that is using the "backup" user 
on the server.

2) Copy the resulting public key from the client (typically 
 /home/backup/.ssh2/id_dsa.pub) to the remote target system.

The file can be transfered via scp, ftp or even floppy transfer, but if you use 
floppy make sure there are no line returns in the resulting key, as they can cause 
problems between dis-similar systems (use text-pad or notepad or vi or...to edit 
the key file).

If the authentication file exists, just append to it, if not create the file and 
copy the key into it.
The authentication file on the remote server will be named:
	-on a remote Unix/Linux box it will be in /home/backup/.ssh2/authorized_keys 
file. (or /export/home...)
	-on a remote Windows box, find the .ssh file (on my install it was in 
"C:/Program Files/NetworkSimplicity/ssh/.ssh" and create or append the 
"authorized_keys" file (not authorized_keys2).

3) On a Windows server it is a good idea to stop/start the ssh daemon, although I am 
not sure it is actually necessary.

Notes:
1) For some reason using:
"scp filename  backup@remotehost:/dir/"
does not work. You must be logged in as "backup" or "su -" to the same user as the key 
was generated for. This may require further research as it severly hampers usability.

2) When checking the vendor of SSH use:
"ssh -V"
The output will be similar to either:

OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f  (this is the Open SSH)
or
ssh2: SSH Secure Shell 3.1.2 (non-commercial version) on i686-pc-linux-gnu (this is the 
commercial version but it says non-commercial because of our institution type and the 
license plan)

3) The client only needs to create one key set. After that the clients "Public Key" may 
be placed on any server. The server's key authentication file, for any particular user, 
can contain public keys from an number of machines which access it as that user.

Resources:
www.ssh.com  (Commercial SSH)
www.openssh.org  (Open SSH)
www.networksimplicity.com/openssh/  (the site for Windows OpenSSH server)