[TriLUG] how-to: preshare ssh key

Kevin Hunter hunteke at earlham.edu
Tue Jun 3 13:42:20 EDT 2008


At 1:15p -0400 on Tue, 03 Jun 2008, Warren Myers wrote:
> I need to set up rsync between a pair of servers and want to use ssh to
> accomplish that.
> 
> However, I don't want to be entering the passwords of those users
> constantly.
> 
> How do I go about pre-sharing the server keys between the target and source
> machines?

Are you talking about ssh keys?  One possible outline/method:

$ ssh-keygen -t rsa -b 2048 -f servername-03Jun2008
   [... you interact with program, likely for no passphrase ... ]

$ ls -lh servername03Jun2008*
-rw------- 1 kevin kevin 1.7K 2008-06-03 13:26 servername-03Jun2008
-rw-r--r-- 1 kevin kevin  392 2008-06-03 13:26 servername-03Jun2008.pub

As implied by the permissions, you are free to share the .pub, but keep
the actual key safe.

$ cat *03Jun2008.pub | ssh servername "cat >> .ssh/authorized_keys"
[ ... last time you'll need to type ssh password ... ]

$ ssh -i servername-03Jun2008 server
[ ... note log in with no password ... ]

Noting this, now use it in your rsync with something like

$ rsync --rsh='ssh -i servername-03Jun2008' ...

If you don't like using the -i flag to ssh, you may look in the ssh
config file.

Discussion:

SSH keys are awesome, but potentially very dangerous if you lose the
private key or someone nasty gets a hold of it.  Keep that puppy safe.
And, in general, remember that security is a mindset, not a task.

The public half of the key should be put on the servers *onto which* you
would like passwordless ssh access (in the .ssh/authorized_keys file).
The private half should only be on the computers *from which* you will
initiate an ssh connection.

There is more discussion to be had about the security implications, so I
expect Cristóbal will jump my case ( ;-) ), but this is a functional method.

Kevin

P.S.  It appears that I have a lag in receiving email, so as I finished
writing this, everyone else has already responded.  Gah.  Oh well, I've
written it, I'm sending it.  :-)



More information about the TriLUG mailing list