07-31-2019
The client side needs to generate the key-pairs and the server side needs to have the public keys for each acceptable key-pair added to ~/.ssh/authorized_keys file for the user account on the server being connected to. Never copy the private key between users or servers (except for backups I suppose) because these are the critical identity proof for the client. If misused, you have little idea what has used them. If you feel that the integrity might have been compromised on a client, you can change the public key for just that client on the server rather than on all the clients, which is prone to error from clients being switched off or you not having the rights to sign on to the client to change the keys etc.
The server uses the keys for the requested user in ~/.ssh/authorized_keys in turn to encrypt a challenge to any connecting client. A client can prove it's identity by decrypting the challenge and responding, so keep the private key (used for decryption) separate for each user of each client and you will know what is permitted or not. The server can have multiple public keys authorised for any particular account by adding the multiple public keys on separate lines in ~/.ssh/authorized_keys for the target user(s) that the client is permitted to connect to.
You can go further and the client could generate multiple pairs of keys and save them to different pairs of files. The client can then be directed to use the appropriate private key for each user/server combination it wishes to connect to. Some may think this as overkill but it is an option should you deem it necessary and it is your choice. We use single client key-pairs for many things but specific user/server key-pairs for our most critical connections.
Remember that security is important and SSH (and related services) enforce this. Generally try to ensure that client's ~/.ssh directory and contents must not be readable by anyone else. Open permissions get rejected. Similar for the target account on the server. Openning permissions up to 'help' it will not work.
I hope that this helps,
Robin
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hi
Is it possible to add users on a Mac OSX server from a unix system with ssh?
If it is what file to alter?
brg Nicke (3 Replies)
Discussion started by: nicke30
3 Replies
2. Shell Programming and Scripting
I'm trying to run a set of commands on a remote machine using ssh in a shell script. One of the commands is unzip. But when the execution reaches this command, the script fails with an error that unzip is not found. Below is the code and the error snippet.
sourceDir=$1 ; filename=$3 ; destDir=$2... (4 Replies)
Discussion started by: farahzaiba
4 Replies
3. UNIX for Dummies Questions & Answers
Hi,
I use bru to backup a variety of servers. One of our servers crashed and we had to do an emergency restore. It is working fine. The problem is the backup server refuses to backup the ftp server. The backup server ssh's into the servers and executed the bru command and instructs that that... (1 Reply)
Discussion started by: mojoman
1 Replies
4. Shell Programming and Scripting
I'm trying to write a script using expect. I'd like the script to execute several commands when the ssh succeeds and i want it to exit if the ssh fails. Does this require to define a time out for the ssh command so that if the prompt is back before this defined time the next commands are executed??... (2 Replies)
Discussion started by: Hossam_Nox
2 Replies
5. Red Hat
Guys,
Need your help coz my server runs in local time GMT +8, but when client use ftp and login, the resulting timestamp seen in each file is in UTC format. We need to set that the time should be the same as GMT +8 when in ftp session.
I am using RHEL 5.3.
root@]# ll
total 1740... (2 Replies)
Discussion started by: shtobias
2 Replies
6. Ubuntu
Unable to set ssh passwordless authentication
I am unable to ssh with passwordless authentication from Windows client onto UBuntu server. The ssh version on UBuntu is OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e , while SSH on Windows Client is OpenSSH_5.1p1, OpenSSL 0.9.8k. I turned on ssh... (5 Replies)
Discussion started by: tkota
5 Replies
7. Shell Programming and Scripting
The below while loop is in ksh on a SunOs server: SPARC-Enterprise 5.10
The ksh version is: Version M-11/16/88i
The intention of the below while loop is to read through a list of file names in files.txt and
delete each file from a server, one at a time. The delete works, the problem is that if... (6 Replies)
Discussion started by: LES2013
6 Replies
8. Shell Programming and Scripting
Hi,
I am triggering a windows exe file using the below command.
ssh user@remoteserver command.exe -option1:xx /option2:yy
This command is working fine from windows command prompt. When I am triggering the same command from ssh I get the error message cant load
Any ideas to deal with... (2 Replies)
Discussion started by: ahmedwaseem2000
2 Replies
9. Shell Programming and Scripting
I have a constraint to follow organization policy. So i do not have much liberty.
ssh -i /opt/nonprod user1@hostone -t bash works while ssh -i /opt/nonprod -t bash user1@hostone fails
How can I get this to work when I am enforced to put -t bash before the user@hostname ?
Will share debug... (3 Replies)
Discussion started by: mohtashims
3 Replies
10. Shell Programming and Scripting
I have two linux servers viz 12.7.44.18 and 12.7.45.18
I wish to ssh from both these server to a destination AiX server 12.7.33.18
The ssh works from 12.7.44.18 -> 12.7.33.18 but fails from 12.7.45.18 -> 12.7.33.18
The openssl version on both linux source 12.7.44.18 and 12.7.45.18 is the... (7 Replies)
Discussion started by: mohtashims
7 Replies
LEARN ABOUT X11R4
ssh-keysign
ssh-keysign(1M) ssh-keysign(1M)
NAME
ssh-keysign - ssh helper program for host-based authentication
SYNOPSIS
ssh-keysign
ssh-keysign is used by ssh(1) to access the local host keys and generate the digital signature required during host-based authentication
with SSH protocol version 2. This signature is of data that includes, among other items, the name of the client host and the name of the
client user.
ssh-keysign is disabled by default and can be enabled only in the global client configuration file /etc/ssh/ssh_config by setting Host-
basedAuthentication to yes.
ssh-keysign is not intended to be invoked by the user, but from ssh. See ssh(1) and sshd(1M) for more information about host-based authen-
tication.
/etc/ssh/ssh_config
Controls whether ssh-keysign is enabled.
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to generate the digital signature. They should be owned by root, readable
only by root, and not accessible to others. Because they are readable only by root, ssh-keysign must be set-uid root if host-based
authentication is used.
ssh-keysign will not sign host-based authentication data under the following conditions:
o If the HostbasedAuthentication client configuration parameter is not set to yes in /etc/ssh/ssh_config. This setting cannot be overri-
den in users' ~/.ssh/ssh_config files.
o If the client hostname and username in /etc/ssh/ssh_config do not match the canonical hostname of the client where ssh-keysign is
invoked and the name of the user invoking ssh-keysign.
In spite of ssh-keysign's restrictions on the contents of the host-based authentication data, there remains the ability of users to use it
as an avenue for obtaining the client's private host keys. For this reason host-based authentication is turned off by default.
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWsshu |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
ssh(1), sshd(1M), ssh_config(4), attributes(5)
AUTHORS
Markus Friedl, markus@openbsd.org
HISTORY
ssh-keysign first appeared in Ox 3.2.
9 Jun 2004 ssh-keysign(1M)