HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Secureshell - generating key on 11iv2 host

 
Tom Haddad
Super Advisor

Secureshell - generating key on 11iv2 host

Ive been running ssh A.04.50 for some time. I have ssh connections working on the ftp server for some outside users but want to confirm my documentation.(my co-worker had implemented these account/accounts connnections some time ago)

on my ftp server:
on the home account for said user...
we run ssh-kgen with no options.. This creates the private and public keys and no passphrase is entered.
I send/copy the public key file to the user.
The user appends the public key to his authorized_keys file under his .ssh directory
Also user's .ssh directory should have permissions of 600.
The user can now test his connection.

One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

BTW - the .ssh directory for the user on the ftp server is set to 770 and public key file underneath it is set to 644
5 REPLIES
Shibin_2
Honored Contributor

Re: Secureshell - generating key on 11iv2 host

>> One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

Yes. Here is how it works.

Messages encrypted with the private key can only be decrypted by the public key, and vice-versa. You keep your private key on your local machine, and put the public key in a list of authorized hosts on the remote machine. When you attempt to log-in to the remote host it sends you a brief message, encrypted with your public key. If you can decrypt the message (and you send back some proof that you have done so) then that proves that you must possess the private key, and you are allowed in.
Regards
Shibin
Bill Hassell
Honored Contributor

Re: Secureshell - generating key on 11iv2 host

> One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

Correct, but it doesn't matter if you do.

> BTW - the .ssh directory for the user on the ftp server is set to 770 and public key file underneath it is set to 644

Bad, bad, bad. The permissions must be fully restrictive:

1. Assuming /home is the top level directory, it must be 755.

2. The user's directory must be 755 minimum.

3. .ssh must be 700 - no except the user can see anything in .ssh

4. None of the files can be publicly readable or writable, so set all files in .ssh to 600, owned by the user.

ssh is particularly silent about bad permissions and won't tell what's wrong -- it just asks for a password.


Bill Hassell, sysadmin

Re: Secureshell - generating key on 11iv2 host

>Bill: > on the ftp server the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

>Correct, but it doesn't matter if you do.

If you have a NFS mounted home directory and want to do ssh between machines, you would want that key there.
Tom Haddad
Super Advisor

Re: Secureshell - generating key on 11iv2 host

Got the info i needed. thanks.
Tom Haddad
Super Advisor

Re: Secureshell - generating key on 11iv2 host

Was able to get the SSH connection working now!!