I'm going to follow my old post, but try to be little more organized about everything.
The first step is to generate an RSA key pair. We'll use a key length of 1024 bits, although for a real application you'd want something substantially longer.
On OS X:
> ssh-keygen -b 1024 -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/telliott_admin/.ssh/id_rsa): Created directory '/Users/telliott_admin/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/telliott_admin/.ssh/id_rsa. Your public key has been saved in /Users/telliott_admin/.ssh/id_rsa.pub. The key fingerprint is: c0:67:0f:f5:08:08:af:33:17:40:e2:c5:80:5a:0a:e5 telliott_admin@Toms-Mac-mini.local The key's randomart image is: +--[ RSA 1024]----+ | o++=. .. . | |oo.o.+. o o | |ooE = + . . | |o . = o | | + . S . | | + | | | | | | | +-----------------+ > |
passphrase: xxxxxxx
The purpose of the passphrase is to protect the private key on my machine (I think). The key files are in:
.ssh/id_rsa
.ssh/id_rsa.pub
At a later point there will be other files here like:
.ssh/known_hosts
It's convenient to refer to a key by its digest
> ssh-keygen -l -f ~/.ssh/id_rsa.pub 1024 c0:67:0f:f5:08:08:af:33:17:40:e2:c5:80:5a:0a:e5 /Users/telliott_admin/.ssh/id_rsa.pub (RSA) |
(I wrapped the output line).
On U32 (I already did this)
sudo apt-get install openssh-server
We need to edit /etc/ssh/sshd_config. Make sure Port22 is uncommented and make the following changes:
PermitRootLogin no ChallengeResponseAuthentication yes PasswordAuthentication yes # we'll set it to no eventually telliott@U32:/etc/ssh$ diff sshd_config sshd_config.orig 27c27 < PermitRootLogin no --- > PermitRootLogin yes 48c48 < ChallengeResponseAuthentication yes --- > ChallengeResponseAuthentication no 51c51 < PasswordAuthentication yes --- > #PasswordAuthentication yes |
The ssh keys are also in the /etc/ssh directory:
/etc/ssh/ssh_host_rsa_key.pub
and so on. For example:
telliott@U32:/etc/ssh$ ssh-keygen -l -f ssh_host_rsa_key.pub 2048 9c:a3:65:70:81:1e:d9:47:75:de:09:87:88:4e:cd:8f ssh_host_rsa_key.pub (RSA) |
restart the server
on OS X:
> ssh telliott@10.0.1.2 The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established. RSA key fingerprint is 9c:a3:65:70:81:1e:d9:47:75:de:09:87:88:4e:cd:8f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.2' (RSA) to the list of known hosts. telliott@10.0.1.2's password: Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686) .. telliott@U32:~$ |
Be sure to check that the fingerprint the "host" 10.0.1.2 gives us is the same as we get in Ubuntu for ssh_host_rsa_key.pub before you answer "yes" above.
In a new Terminal window or tab:
> ssh-keygen -lvf ~/.ssh/known_hosts 2048 9c:a3:65:70:81:1e:d9:47:75:de:09:87:88:4e:cd:8f 10.0.1.2 (RSA) +--[ RSA 2048]----+ | +..=.o.o. | | + .+.+ +o..| | ...+. o ...| | .+ o E . | | S | | + . | | . | | | | | +-----------------+ |
At this point we want to copy our public key over to the server.
The way I did this is:
> scp ~/.ssh/id_rsa.pub telliott@10.0.1.2:~/.ssh/authorized_keys telliott@10.0.1.2's password: id_rsa.pub 100% 248 0.2KB/s 00:00 |
Note: the docs say to do:
ssh-copy-id username@remotehost chmod 600 .ssh/authorized_keys |
Having done this, my home directory in Ubuntu should have a file of authorized keys:
telliott@U32:~$ cd .ssh telliott@U32:~/.ssh$ ls authorized_keys known_hosts telliott@U32:~/.ssh$ ssh-keygen -l -f ~/.ssh/authorized_keys 1024 c0:67:0f:f5:08:08:af:33:17:40:e2:c5:80:5a:0a:e5 /home/telliott/.ssh/authorized_keys (RSA) |
The fingerprint matches my public key generated on OS X.
Change the config file to PasswordAuthentication no.
telliott@U32:~/.ssh$ cd /etc/ssh telliott@U32:/etc/ssh$ sudo nano sshd_config telliott@U32:/etc/ssh$ diff sshd_config sshd_config.orig 27c27 < PermitRootLogin no --- > PermitRootLogin yes 48c48 < ChallengeResponseAuthentication yes --- > ChallengeResponseAuthentication no 51c51 < PasswordAuthentication no --- > #PasswordAuthentication yes |
Finally, from OS X
> ssh telliott@10.0.1.2 |
Identity added: /Users/telliott_admin/.ssh/id_rsa (/Users/telliott_admin/.ssh/id_rsa) Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686) * Documentation: https://help.ubuntu.com/ Last login: Thu Mar 29 13:20:00 2012 from toms-mac-mini.local telliott@U32:~$ |
Logout and re-try does not require passphrase again.. nor does quitting Terminal and starting again. I did not save to the Keychain, so what's the deal? Maybe it has something to do with Lion apps remembering their state between runs.
A re-boot of the machine does force the prompt for the passphrase.
