SSH-KEYs can be very important when set up between 2 trusted servers especially if you wish to automate some processes between the servers using scripts (ksh, bash, tcsh). In this way, it makes it easy to write a script to login back and forth between the two servers without worrying on how you can pass on the passwords. This is secure because you don’t print passwords in your scripts.
SSH-KEYs have on several occasions helped me in writing backup scripts, server health check scripts, server process automation and other fancy stuff that can be achieved in bash/ksh/tcsh scripting. At the end of this tutorial, you should be able to successfully setup SSH-KEYs between two trusted servers; Server1 and Server2. Once SSH-KEYs have been successfully setup, you should be able to connect from Server1 to server2 in just one line of command without need for a password. Good luck
Challenge:
Server1 has a user “josh” who wishes to setup SSH-KEYs with a user “bob” on Server2
Step 1: Check Connectivity between the Servers
Make sure that server1 can communicate to server2 at the IP level, also make sure that SSH is running on both servers and that you can successfully SSH from server1 to server2.
#ping “server2_ip_address” e.g. #ping 192.168.10.2
#ssh bob@“server2_ip_address” e.g. #ssh bob@192.168.10.2
If it’s the first time you are connecting to server2 through SSH, you might get something like this; just answer yes and ENTER.
Output:
The authenticity of host '192.168.10.2 (192.168.10.2)' can't be established.
RSA key fingerprint is 0d:60:aa:ad:91:a7:c6:ae:5d:f7:ae:21:60:82:81:9d.
Are you sure you want to continue connecting (yes/no)?
Step 2: Start keygen process
josh@server1:~> ssh-keygen -t dsa
Output:
Generating public/private dsa key pair.
Enter file in which to save the key (/export/home/josh/.ssh/id_dsa):
Created directory '/export/home/josh/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /export/home/josh/.ssh/id_dsa
Your public key has been saved in /export/home/josh/.ssh/id_dsa.pub
The key fingerprint is:
f0:8e:31:ab:e2:9a:02:4d:77:f5:44:23:ae:23:85:b6 josh@server1
Step 3: Check SSH-AGENT
josh@server1:~> ssh-agent
Output:
SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
SSH_AGENT_PID=31741; export SSH_AGENT_PID;
echo Agent pid 31741;
josh@server1:~> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
josh@server1:~> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
josh@server1:~> echo Agent pid 31741;
Output:
Agent pid 31741
Step 4: SSH-ADD
josh@server1:~> ssh-add /export/home/josh/.ssh/id_dsa
Output:
Enter passphrase for /home/jimbo/.ssh/id_dsa1:
Identity added: /export/home/josh/.ssh/id_dsa (/export/home/josh/.ssh/id_dsa)
Step 5: Making sure server1 is in the list of known hosts on Server2
when you ssh into server2 from server1 the first time, server2 adds the IP address of server1 in a file called known_hosts, so the second time you login, server2 should straight away prompt you for a password without doubting the authenticity of server1!
so try to ssh into server2 from server1, login and exit.
josh@server1:~> ssh bob@server2
Output:
bob@server2's password:
Last login: Tue Nov 25 06:22:11 2010 from josh
Have a lot of fun...
bob@server2:~> exit
Challenge:
Server1 has a user “josh” who wishes to setup SSH-KEYs with a user “bob” on Server2
Step 1: Check Connectivity between the Servers
Make sure that server1 can communicate to server2 at the IP level, also make sure that SSH is running on both servers and that you can successfully SSH from server1 to server2.
#ping “server2_ip_address” e.g. #ping 192.168.10.2
#ssh bob@“server2_ip_address” e.g. #ssh bob@192.168.10.2
If it’s the first time you are connecting to server2 through SSH, you might get something like this; just answer yes and ENTER.
Output:
The authenticity of host '192.168.10.2 (192.168.10.2)' can't be established.
RSA key fingerprint is 0d:60:aa:ad:91:a7:c6:ae:5d:f7:ae:21:60:82:81:9d.
Are you sure you want to continue connecting (yes/no)?
Step 2: Start keygen process
josh@server1:~> ssh-keygen -t dsa
Output:
Generating public/private dsa key pair.
Enter file in which to save the key (/export/home/josh/.ssh/id_dsa):
Created directory '/export/home/josh/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /export/home/josh/.ssh/id_dsa
Your public key has been saved in /export/home/josh/.ssh/id_dsa.pub
The key fingerprint is:
f0:8e:31:ab:e2:9a:02:4d:77:f5:44:23:ae:23:85:b6 josh@server1
Step 3: Check SSH-AGENT
josh@server1:~> ssh-agent
Output:
SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
SSH_AGENT_PID=31741; export SSH_AGENT_PID;
echo Agent pid 31741;
josh@server1:~> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
josh@server1:~> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
josh@server1:~> echo Agent pid 31741;
Output:
Agent pid 31741
Step 4: SSH-ADD
josh@server1:~> ssh-add /export/home/josh/.ssh/id_dsa
Output:
Enter passphrase for /home/jimbo/.ssh/id_dsa1:
Identity added: /export/home/josh/.ssh/id_dsa (/export/home/josh/.ssh/id_dsa)
Step 5: Making sure server1 is in the list of known hosts on Server2
when you ssh into server2 from server1 the first time, server2 adds the IP address of server1 in a file called known_hosts, so the second time you login, server2 should straight away prompt you for a password without doubting the authenticity of server1!
so try to ssh into server2 from server1, login and exit.
josh@server1:~> ssh bob@server2
Output:
bob@server2's password:
Last login: Tue Nov 25 06:22:11 2010 from josh
Have a lot of fun...
bob@server2:~> exit
Output:
logout
Connection to bob closed.
logout
Connection to bob closed.
Step 6: SCP (Secure Copy) the pub key from Server1 to Server2
josh@server1:~> scp /export/home/josh/.ssh/id_dsa.pub bob@server2:/export/home/bob/.ssh/josh.pub
Output:
bob@server2's password:
id_dsa.pub 100% |*************************************************| 602 00:00
Step 7: Copy the Pub Key (josh.pub) that was copied to server2 into Authorized Keys
josh@server1:~> ssh bob@server2
bob@server2's password:
Last login: Tue Nov 25 06:30:11 2010 from josh
Have a lot of fun...
Last login: Tue Nov 25 06:30:11 2010 from josh
Have a lot of fun...
bob@server2:~> cd /export/home/bob/.ssh/
bob@server2:~> cat josh.pub >> authorized_keys
bob@server2:~> exit
logout
Connection to bob closed.
logout
Connection to bob closed.
Step 8: Test your new SSH-KEY
josh@server1:~> ssh -i /export/home/josh/.ssh/id_dsa bob@server2
Last login: Tue Nov 25 06:45:11 2010 from josh
Have a lot of fun...bob@server2:~>
Have a lot of fun...bob@server2:~>
Once you get to the command prompt of server2, then your SSH-KEY is working. You can use this KEY to login to the server always without need for password. You can also use the KEY to automate the login within a BASH/KSH/TCSH script. Have fun.