[lug] OpenSSH

[D. Stimits]

"Michael J. Pedersen" wrote:
> 
> On Tue, Jan 30, 2001 at 12:58:46PM -0700, D. Stimits wrote:
> > I've seen several posts recently on setting up ssh, and used some of the
> > advice in those, but am still having problems setting things up
> > correctly (basically I'm working on getting one internal machine to
> > allow login on a per user key basis without passwords...blanket machine
> > setups are unacceptable). The "-v" option gives me some clues that are
> > useful, but not sufficient. So I'm looking for online docs and other
> > pages that might help in diagnosing or setting up ssh, but for the last
> > couple of days have been unable to reach www.openssh.org's web site.
> > Does anyone know of a good url concerning ssh setup?
> 
> Nope, dunno of a good url. However, here's the steps to take to make it happen
> (as I use it every day, I'm fairly certain this works :)
> 
> 1) As the user who will login, issue 'ssh-keygen'
>    Follow all prompts, but make certain not to use a passphrase on this secret
>    key.
> 2) Copy the file $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the
>    server to which you will log in.
> 3) On the server you log into, find the file 'sshd_config', and make the
>    following changes to it:
>    -----
>    PasswordAuthentication no
>    PermitEmptyPasswords yes
>    -----
> 4) Restart sshd
> 5) chown -R user:group $HOME/.ssh
> 6) chmod 0700 $HOME/.ssh ; chmod 0600 $HOME/.ssh/*
> 
> You should now be able to login successfully.

I now have the following situation change. I completely removed all keys
and all ssh programs, including ssh-keygen, sshd, so on. The two redhat
6.2 systems are 100% cleaned. I then picked up the source from the site
you mentioned, and installed the tarball versions of the "portable" ssh,
from file:
openssh-2.3.0p1.tar.gz (on both machines).

I used ./configure to make it match the prior setups to some extent; for
example, I named --prefix as /usr instead of /usr/local, and sysconfdir
as /etc/ssh, rather than /usr/local/etc. I ran make, and make install. I
updated links and files in my /etc/rc.d/ directories for the appropriate
startup and shutdown (same as before), and tested the
/etc/rc.d/init.d/sshd script for stop, start, and restart, successfully.
/var/log/messages indicated success as well, and generation of RSA keys.
I edited the new /etc/ssh/sshd_config for the above mentioned mod's to
PasswordAuthentication and PermitEmptyPasswords for the machine I am
going to ssh TO (machine B), and restarted. One thing the documentation
fails to correctly mention are host-level known hosts, which I am
guessing is done as follows: In /etc/sshd/, I created subdirectory
known_hosts, and within that, I placed the opposite machine's
/etc/sshd/*.pub files (I did this from machine A to machine B, and
machine B to machine A, copying the two key files over, one key being
marked as ssh_host_dsa_key.pub, the other simply ssh_host_key.pub).
Again, I restarted each server.

On each computer I have a non-root user (abbreviate here "x") of
identical name, uid, guid, and home directory structure on both
machines. Prior to the following key generation steps, I did rm -Rf on
all home directory .ssh and .ssh2 directories, including root, on both
machines...nothing was left over (this was cleaned out even before I
reinstalled any ssh at all).

User "x" on both machines ran ssh-keygen, without a pass phrase. This
generated ~/.ssh/, with files identity, identity.pub on each machine. On
machine B I wasn't sure about how to add authorized keys, and made some
guesses, creating directory ~/.ssh/authorized_keys/. Within that
directory I placed the relevant identity.pub of user "x" of machine A.