SSH Secure Shell, whenever we want to execute a shell command on a remote machine, it is used. The whole idea here is to make sure that eaves drop will not be able to decrypt it, as it is encrypted.
Now, we already have a linux machine(172.16.0.1) that has openssh server running. I have a client linux machine(172.16.0.20). For the first time, whenever we issue a command.
1
2
3
4
5
6
7
8
9
| # ssh 172.16.0.1 -l root ls
Host '172.16.0.1' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 3f:61:51:b5:00:02:64:f9:c4:c3:dd:a1:e9:eb:ac:9e:1b:aa:ef:68)
Do you want to continue connecting? (y/n) y
root@172.16.0.1's password:
abc.txt
def.txt
#
|
Line 5: It asks whether to include public key in the file ~/.ssh/known_hosts
Line 6: Password is needed
1
2
3
| # cat .ssh/known_hosts
172.16.0.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC97bEOOLravOBmbx/P+5BXxEEH49N3tdS3PgynAwdma/OY6fGzFrXhGnKZgYKbkKSTldKpXs3xUdRhjR6jU9VN4GcjzmcFfNgniGdq6SntV/U9lrdCGt2V5dLdTAE8I3q2vQL9i/OQ83fcu9CVKN6/O0jToJ65n9lrgrsFfSjkFWlPJLh2l9Syvgl1OReat6iBetcpetUnC0CTG9ORwpDsl+GbQAXc2VSWirafQRDNFNTC1aOwgUa9YMFY+XUqetU/76nYr4MC8JNoWkqvH0O+6UTR5wKhYDMaDIr9PGtTJF+2Hqt97XYAudieIwBogiGNl5/fF2GKW3j7ykibDAxH
#
|
You can see the entry added in the file. Now, delete the file. We can avoid the banner by explicitly adding it by ourselves. It will be available by two methods:
Using ssh-keyscan command remotely:
1
2
3
4
5
| # ssh-keyscan -H 172.16.0.1
# 172.16.0.1 SSH-2.0-OpenSSH_6.2
no hostkey alg
# 172.16.0.1 SSH-2.0-OpenSSH_6.2
|1|Dg0BPDSZVlQ397prZu+fKSB31zM=|Vab1XH6An8aw4QQoR1rln8mvwo0= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC97bEOOLravOBmbx/P+5BXxEEH49N3tdS3PgynAwdma/OY6fGzFrXhGnKZgYKbkKSTldKpXs3xUdRhjR6jU9VN4GcjzmcFfNgniGdq6SntV/U9lrdCGt2V5cLdSAD8I3q2vQL9i/OQ83fcu9CVKN6/O0jToJ65n9lrgrsFfSjkFWlPJLh2l9Syvgl1OReat6iBetcpetUnC0CTG9ORwpDsl+GbQAXc2VSWirafQRDNFNTC1aOwgUa9YMFY+XUqetU/76nYr4MC8JNoWkqvH0O+6UTR5wKhYDMaDIr9PGtTJF+2Hqt97XYAudieIwBogiGNl5/fF2GKW3j7ykibDAxH
|
On the server machine (172.16.0.1), in the following location
1
2
| #cat /etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC97bEOOLravOBmbx/P+5BXxEEH49N3tdS3PgynAwdma/OY6fGzFrXhGnKZgYKbkKSTldKpXs3xUdRhjR6jU9VN4GcjzmcFfNgniGdq6SntV/U9lrdCGt2V5cLdSAD8I3q2vQL9i/OQ83fcu9CVKN6/O0jToJ65n9lrgrsFfSjkFWlPJLh2l9Syvgl1OReat6iBetcpetUnC0CTG9ORwpDsl+GbQAXc2VSWirafQRDNFNTC1aOwgUa9YMFY+XUqetU/76nYr4MC8JNoWkqvH0O+6UTR5wKhYDMaDIr9PGtTJF+2Hqt97XYAudieIwBogiGNl5/fF2GKW3j7ykibDAxH
|
Copy and paste the corresponding public key in the known_hosts file of client(172.16.0.20)
1
2
3
4
5
6
7
| # vi .ssh/known_hosts
# ssh 172.16.0.1 -l root ls
root@172.16.0.1's password:
abc.txt
def.txt
#
|
Passwordless Login for the server
Whenever we issue ssh to the server, it always asks for password. To avoid this, we have to keep that user's public key in the 'authorized_key' list of server. Remember, it has to be public key of user@hostname(~/.ssh/id_rsa.pub) and NOT public key of the hostname(/etc/ssh/ssh_host_rsa_key.pub)
Initially 'id_rsa.pub' would not be present. There will be only 2 files 'known_hosts' and 'authorized hosts'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| # ls ~/.ssh/
authorized_keys known_hosts
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d6:1c:43:59:bc:fe:fa:36:e4:44:0c:12:96:41:2f:f9 root@svtap01end1.bec.broadcom.net
The key's randomart image is:
+--[ RSA 2048]----+
| .*B. |
| o+oo |
| =..+ |
| o =. o |
| S o.E. |
| . . o |
| = |
| = |
| .+.. |
+-----------------+
# ls ~/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6gtqYxfBe/dcBtMPh/j1x6eAVOLbn9ooY12ztDs15q4kkjw0YNkHVcw9vX3Ys5eIx2N+5WaFc8uCuZFqK+F3/qybCNkIditLwoC8OOH3zXZeBB+hzkACl1ThEIIHRlqUX79xMokPwOM99OOt6CwKZCl81aRF75+QW6ek8PxMvEm4O9zb22pGU36Qb5PS6IOKfBUbIUi4v7dR5ElBiziPCZqXgFDf5iZAS83hyvSVxl5VG7dhO0GfWGa+KrQ1kwdK5oyIL81PBgkQFrxVzejApSxwBgNs+1B9e8Tq5/FsxcLfUB0w12VQlIedZOeUDhh18+MoUrStdNYrEZqNwt5Ox root@svtap01end1.bec.broadcom.net
#
|
Copy the output of id_rsa.pub to authorized hosts in the server. After doing lot of trails of copy paste the contents to the file, in-build command 'ssh-copy-id' worked smoothly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # ssh-copy-id root@172.16.0.1
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.0.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.16.0.1'"
and check to make sure that only the key(s) you wanted were added.
# ssh 172.16.0.1 ls
abc.txt
def.txt
#
|
Thank you.
