topic Secureshell - generating key on 11iv2 host in Operating System - HP-UX

Secureshell - generating key on 11iv2 host

Tom Haddad — Thu, 11 Nov 2010 15:18:42 GMT

Ive been running ssh A.04.50 for some time. I have ssh connections working on the ftp server for some outside users but want to confirm my documentation.(my co-worker had implemented these account/accounts connnections some time ago)

on my ftp server:
on the home account for said user...
we run ssh-kgen with no options.. This creates the private and public keys and no passphrase is entered.
I send/copy the public key file to the user.
The user appends the public key to his authorized_keys file under his .ssh directory
Also user's .ssh directory should have permissions of 600.
The user can now test his connection.

One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

BTW - the .ssh directory for the user on the ftp server is set to 770 and public key file underneath it is set to 644

Re: Secureshell - generating key on 11iv2 host

Shibin_2 — Thu, 11 Nov 2010 17:44:49 GMT

>> One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

Yes. Here is how it works.

Messages encrypted with the private key can only be decrypted by the public key, and vice-versa. You keep your private key on your local machine, and put the public key in a list of authorized hosts on the remote machine. When you attempt to log-in to the remote host it sends you a brief message, encrypted with your public key. If you can decrypt the message (and you send back some proof that you have done so) then that proves that you must possess the private key, and you are allowed in.

Re: Secureshell - generating key on 11iv2 host

Bill Hassell — Thu, 11 Nov 2010 17:49:05 GMT

> One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

Correct, but it doesn't matter if you do.

> BTW - the .ssh directory for the user on the ftp server is set to 770 and public key file underneath it is set to 644

Bad, bad, bad. The permissions must be fully restrictive:

1. Assuming /home is the top level directory, it must be 755.

2. The user's directory must be 755 minimum.

3. .ssh must be 700 - no except the user can see anything in .ssh

4. None of the files can be publicly readable or writable, so set all files in .ssh to 600, owned by the user.

ssh is particularly silent about bad permissions and won't tell what's wrong -- it just asks for a password.

Re: Secureshell - generating key on 11iv2 host

Dennis Handly — Fri, 12 Nov 2010 08:59:41 GMT

>Bill: > on the ftp server the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

>Correct, but it doesn't matter if you do.

If you have a NFS mounted home directory and want to do ssh between machines, you would want that key there.

Re: Secureshell - generating key on 11iv2 host

Tom Haddad — Fri, 12 Nov 2010 15:54:20 GMT

Got the info i needed. thanks.

Re: Secureshell - generating key on 11iv2 host

Tom Haddad — Fri, 12 Nov 2010 15:55:50 GMT

Was able to get the SSH connection working now!!