The objective is to enable remote login for my Ubuntu machine running with a local ip address of 10.0.1.2. We begin by setting a stronger password for my account on Ubuntu under: System > Preferences > About Me (weirdly, it's not under Passwords and Encryption Keys ..).
On the client (OS X Snow Leopard Server), I already have some key pairs from a previous test
> ls ~/.ssh authorized_keys id_dsa id_dsa.pub known_hosts
but they are DSA keys, which the notes I'm going to follow deprecate. We'll make a short 1024
ssh-keygen -b 1024 -t rsa > cat id_rsa.pub ssh-rsa AAAAB..5Eoec= telliott_@c-98-___-__-154.hsd1.wv.comcast.net
Not sure what the pseudo ip address or "comcast" thing is about.
I also take this opportunity to set a passphrase for the public key (and of course I make a note of it). This will be useful (it says) because we can set up the server to require both a password to gain access to the public key, as well as the corresponding private key before login is allowed.
[UPDATE: I'm still working my way through this, but I suspect that the previous statement isn't correct. The passphrase is used to protect the value of the private key. So, in this setup OS X will decrypt the private key using the passphrase, and the stored value of the private key in
id_rsais encrypted. I'll try to figure all this out soon. ]
The easiest way to get my new public key onto the server is to use SSH (with password, before we disable it). The next question is, do we need to install an SSH server? It appears yes.
sudo apt-get install openssh-server
There is a pre-existing config file
/etc/ssh/ssh_configbut after the previous command there are more including
sshd_config. I make sure to save a copy of this file before I modify it. Now try:
ssh firstname.lastname@example.org ssh: connect to host 10.0.1.2 port 22: Connection refused
OK, so we need to modify
Port22is already uncommented. Now uncomment:
PermitRootLogin no ChallengeResponseAuthentication yes PasswordAuthentication yes # we'll set it to no eventually
On the server:
sudo /etc/init.d/ssh restart
On the client:
> ssh email@example.com The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established. RSA key fingerprint is d1: .. :83. Are you sure you want to continue connecting (yes/no)?
Check the fingerprint on the the server:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 d1: .. :83 /etc/ssh/ssh_host_rsa_key.pub (RSA) Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.2' (RSA) to the list of known hosts. Connection closed by 10.0.1.2 > ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic x86_64)
Now to change to not using our password. We need to copy our RSA public key to the server in some secure way. According to the sshd_config file, the "authorized keys file" is
%h/.ssh/authorized_keys. That's in my home directory. I do:
> scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:~/.ssh/authorized_keys email@example.com's password: id_rsa.pub 100% 260 0.3KB/s 00:00 te@VB:~$ logout Connection to 10.0.1.2 closed. > ssh firstname.lastname@example.org Identity added: /Users/telliott_admin/.ssh/id_rsa (/Users/telliott_admin/.ssh/id_rsa) Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Sun Aug 28 14:35:49 2011 from osxserver.local te@VB:~$
Now, finally, be sure to turn off password authentication for the ssh server:
PasswordAuthentication no. At first, I'm not being prompted for a password to retrieve my public key on the server.. just getting automatically logged in by:
I forgot to do:
ChallengeResponsePasswords yes sudo /etc/init.d/ssh restart
Restart and I get the challenge.. Although it is apparently cached sometimes. Looks like it works.