Friday, June 20, 2014

How to establish a trust relationship for ssh connection between two Linux servers

How to establish a trust relationship for ssh connection between two Linux servers
Server sisifo will access the server thanatos by using a ssh connection.

Step 1: Generate public key on the source server (sisifo)

[javauser@sisifo ~]$ cd .ssh
[javauser@sisifo .ssh]$ ls -la
total 28
drwx------.  2 javauser javauser  4096 2010-08-31 10:47 .
drwxrwx---. 65 javauser javauser 20480 2014-06-20 11:18 ..
-rw-r--r--.  1 javauser javauser  3164 2014-06-19 20:33 known_hosts
[javauser@sisifo .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/javauser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/javauser/.ssh/id_rsa.
Your public key has been saved in /home/javauser/.ssh/id_rsa.pub.
The key fingerprint is:
81:f3:df:6d:b1:43:e9:5a:2f:8f:67:5d:12:58:68:a1 javauser@sisifo
The key's randomart image is:
+--[ RSA 2048]----+
|            .o   |
|       .   .o .  |
|      o . E. o   |
|       o .  . .. |
|        S     +. |
|         . . +.o.|
|          . . B.o|
|             +.++|
|            . .=o|
+-----------------+
[javauser@sisifo .ssh]$ ls -la
total 36
drwx------.  2 javauser javauser  4096 2014-06-20 13:42 .
drwxrwx---. 65 javauser javauser 20480 2014-06-20 11:18 ..
-rw-------.  1 javauser javauser  1675 2014-06-20 13:42 id_rsa
-rw-r--r--.  1 javauser javauser   397 2014-06-20 13:42 id_rsa.pub
-rw-r--r--.  1 javauser javauser  3164 2014-06-19 20:33 known_hosts
[javauser@sisifo .ssh]$

Step 2: Move the file id_rsa.pub to server thanatos (target) and rename it as authorized_keys at the directory ~/.ssh

[javauser@thanatos .ssh]$ sftp javauser@sisifo
javauser@sisifo's password:
Connected to sisifo.
sftp> cd .ssh
sftp> get id_rsa.pub
Fetching /home/javauser/.ssh/id_rsa.pub to id_rsa.pub
/home/javauser/.ssh/id_rsa.pub               100%  397     0.4KB/s   00:00
sftp> quit
[javauser@thanatos .ssh]$ ls -l
total 8
-rw-r--r--. 1 javauser javauser 397 Jun 20 14:49 id_rsa.pub
-rw-r--r--. 1 javauser javauser 401 Jun 20 11:03 known_hosts
[javauser@thanatos .ssh]$ mv id_rsa.pub authorized_keys
[javauser@thanatos .ssh]$ ls -l
total 8
-rw-r--r--. 1 javauser javauser 397 Jun 20 14:49 authorized_keys
-rw-r--r--. 1 javauser javauser 401 Jun 20 11:03 known_hosts
[javauser@thanatos .ssh]$ pwd
/home/javauser/.ssh
[javauser@thanatos .ssh]$

Step 3: Everything will work fine !!!

[javauser@sisifo .ssh]$ ssh javauser@thanatos
Last login: Fri Jun 20 13:26:09 2014
[javauser@thanatos ~]$

Hint 1: Remember that directory .ssh shoud have 700 as permissions. 
If not, change permissions with "chmod 700 .ssh"

[javauser@thanatos ~]$ ls -la | grep ssh
drwx------.  2 javauser javauser  4096 Jun 20 14:49 .ssh
[javauser@thanatos ~]$

Hint 2: In order to add other servers, do not move (mv) id_rsa.pub to authorized_keys but append it.
cat id_rsa.pub >> authorized_keys

For example, adding another server (merope) to access thanatos:

[javauser@merope ~]$ hostname ; pwd
merope
/home/javauser
[javauser@merope ~]$ cd .ssh
[javauser@merope .ssh]$ ls -l
total 4
-rw-r--r--. 1 javauser javauser 403 2014-06-20 13:10 known_hosts
[javauser@merope .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/javauser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/javauser/.ssh/id_rsa.
Your public key has been saved in /home/javauser/.ssh/id_rsa.pub.
The key fingerprint is:
3a:ef:0f:38:5f:01:0e:39:b8:94:21:72:07:07:79:3a javauser@merope
The key's randomart image is:
+--[ RSA 2048]----+
|. =++            |
| o.+.+ .         |
|   o+ + .        |
|  E. . + .       |
|   ..   S .      |
|       o   .     |
|      = . .      |
|       = o       |
|       .+..      |
+-----------------+
[javauser@merope .ssh]$ ls -lrt
total 12
-rw-r--r--. 1 javauser javauser  403 2014-06-20 13:10 known_hosts
-rw-r--r--. 1 javauser javauser  397 2014-06-20 15:07 id_rsa.pub
-rw-------. 1 javauser javauser 1675 2014-06-20 15:07 id_rsa
[javauser@merope .ssh]$ sftp javauser@thanatos
Connecting to thanatos...
javauser@thanatos's password:
sftp> cd .ssh
sftp> put id_rsa.pub merope_id_rsa.pub
Uploading id_rsa.pub to /home/javauser/.ssh/merope_id_rsa.pub
id_rsa.pub                                                                                                                            100%  397     0.4KB/s   00:00
sftp> quit
[javauser@merope .ssh]$


[javauser@thanatos .ssh]$ hostname ; pwd
thanatos
/home/javauser/.ssh
[javauser@thanatos .ssh]$ cat merope_id_rsa.pub >> authorized_keys
[javauser@thanatos .ssh]$

[javauser@merope ~]$ hostname
merope
[javauser@merope ~]$ ssh javauser@thanatos
Last login: Fri Jun 20 14:55:44 2014 from sisifo
[javauser@thanatos ~]$

Hint 3: The home directory at target server must have permissions 700 or you will not be able to connect without password.

[root@sisifo home]# ls -l | grep javauser
drwxrwx---. 65 javauser  javauser    20480 2014-06-20 15:39 javauser
[root@sisifo home]# chmod 700 javauser
[root@sisifo home]# ls -l | grep javauser
drwx------. 65 javauser  javauser    20480 2014-06-20 15:39 javauser
[root@sisifo home]#




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

My photo
Leitor Compulsivo e Apaixonado