HPE Community
Operating System - HP-UX
1753519 Members
4919 Online
108795 Solutions
New Discussion юеВ

Secureshell - generating key on 11iv2 host

 
Tom Haddad
Super Advisor

тАО11-11-2010 07:18 AM

тАО11-11-2010 07:18 AM

Secureshell - generating key on 11iv2 host

Ive been running ssh A.04.50 for some time. I have ssh connections working on the ftp server for some outside users but want to confirm my documentation.(my co-worker had implemented these account/accounts connnections some time ago)

on my ftp server:
on the home account for said user...
we run ssh-kgen with no options.. This creates the private and public keys and no passphrase is entered.
I send/copy the public key file to the user.
The user appends the public key to his authorized_keys file under his .ssh directory
Also user's .ssh directory should have permissions of 600.
The user can now test his connection.

One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

BTW - the .ssh directory for the user on the ftp server is set to 770 and public key file underneath it is set to 644
0 Kudos
5 REPLIES 5
Shibin_2
Honored Contributor

тАО11-11-2010 09:44 AM

тАО11-11-2010 09:44 AM

Re: Secureshell - generating key on 11iv2 host

>> One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

Yes. Here is how it works.

Messages encrypted with the private key can only be decrypted by the public key, and vice-versa. You keep your private key on your local machine, and put the public key in a list of authorized hosts on the remote machine. When you attempt to log-in to the remote host it sends you a brief message, encrypted with your public key. If you can decrypt the message (and you send back some proof that you have done so) then that proves that you must possess the private key, and you are allowed in.
Regards
Shibin
0 Kudos
Bill Hassell
Honored Contributor

тАО11-11-2010 09:49 AM

тАО11-11-2010 09:49 AM

Re: Secureshell - generating key on 11iv2 host

> One question..on the ftp server..the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

Correct, but it doesn't matter if you do.

> BTW - the .ssh directory for the user on the ftp server is set to 770 and public key file underneath it is set to 644

Bad, bad, bad. The permissions must be fully restrictive:

1. Assuming /home is the top level directory, it must be 755.

2. The user's directory must be 755 minimum.

3. .ssh must be 700 - no except the user can see anything in .ssh

4. None of the files can be publicly readable or writable, so set all files in .ssh to 600, owned by the user.

ssh is particularly silent about bad permissions and won't tell what's wrong -- it just asks for a password.


Bill Hassell, sysadmin
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО11-12-2010 12:59 AM

тАО11-12-2010 12:59 AM

Re: Secureshell - generating key on 11iv2 host

>Bill: > on the ftp server the public key does NOT need to be added to the authorized_keys file under his /home../.ssh/, right?

>Correct, but it doesn't matter if you do.

If you have a NFS mounted home directory and want to do ssh between machines, you would want that key there.
0 Kudos
Tom Haddad
Super Advisor

тАО11-12-2010 07:54 AM

тАО11-12-2010 07:54 AM

Re: Secureshell - generating key on 11iv2 host

Got the info i needed. thanks.
0 Kudos
Tom Haddad
Super Advisor

тАО11-12-2010 07:55 AM

тАО11-12-2010 07:55 AM

Re: Secureshell - generating key on 11iv2 host

Was able to get the SSH connection working now!!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.