# ssh-keygen -t rsa (Could also use -t dsa)Enter a password if required, if intending to use for an automated account then leave password blank (in which case I STRONGLY recommend you also restrict the command as shown further down). Copy file *.pub to remote server and then add the key to the authorized keys file of the remote user. Also check permissions are set correctly or it will not work.
# cat *.pub >> ~/.ssh/authorized_keys2Login with the following to see verbose errors etc:
# chmod 600 authorized_keys2
# ssh -v user@remotehostIt is possible to restrict the command which can be run with this type of connection to increase security. This allows us to only allow a specific rsync command for example so if the key is compromised it will limit the damage that can be done. To enforce this edit the beginning of the authorized_keys file as shown below, replacing with the command you want to be run and the correct key.
command="rsync --server -vlogDtprc . /var/www/html" ssh-dss AAAAB3Nz…[rest of key goes here]See also: SSH tunnels post
Troubleshooting:
Check the file permissions of all the key files (and directories) as if incorrect it will fail with unhelpfull error message.
Note that password expiry policies still apply even if only using keys. The account will still block logins and enforce a password change even if you are trying to login with a key file - not what you want to happen on an automated account...
Check the spelling of the file "authorized_keys" - the number of times I have typed "authorised_keys" by mistake....
No comments:
Post a Comment