The objective is to enable remote login for my Ubuntu machine running with a local ip address of 10.0.1.2. We begin by setting a stronger password for my account on Ubuntu under: System > Preferences > About Me (weirdly, it's not under Passwords and Encryption Keys ..).
On the client (OS X Snow Leopard Server), I already have some key pairs from a previous test
> ls ~/.ssh authorized_keys id_dsa id_dsa.pub known_hosts |
but they are DSA keys, which the notes I'm going to follow deprecate. We'll make a short 1024
ssh-keygen -b 1024 -t rsa > cat id_rsa.pub ssh-rsa AAAAB..5Eoec= telliott_@c-98-___-__-154.hsd1.wv.comcast.net |
Not sure what the pseudo ip address or "comcast" thing is about.
I also take this opportunity to set a passphrase for the public key (and of course I make a note of it). This will be useful (it says) because we can set up the server to require both a password to gain access to the public key, as well as the corresponding private key before login is allowed.
[UPDATE: I'm still working my way through this, but I suspect that the previous statement isn't correct. The passphrase is used to protect the value of the private key. So, in this setup OS X will decrypt the private key using the passphrase, and the stored value of the private key in
id_rsa is encrypted. I'll try to figure all this out soon. ]The easiest way to get my new public key onto the server is to use SSH (with password, before we disable it). The next question is, do we need to install an SSH server? It appears yes.
sudo apt-get install openssh-server |
There is a pre-existing config file
/etc/ssh/ssh_config but after the previous command there are more including sshd_config. I make sure to save a copy of this file before I modify it. Now try:ssh te@10.0.1.2 ssh: connect to host 10.0.1.2 port 22: Connection refused |
OK, so we need to modify
/etc/ssh/sshd_config. Port22 is already uncommented. Now uncomment:PermitRootLogin no ChallengeResponseAuthentication yes PasswordAuthentication yes # we'll set it to no eventually |
On the server:
sudo /etc/init.d/ssh restart |
On the client:
> ssh te@10.0.1.2 The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established. RSA key fingerprint is d1: .. :83. Are you sure you want to continue connecting (yes/no)? |
Check the fingerprint on the the server:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 d1: .. :83 /etc/ssh/ssh_host_rsa_key.pub (RSA) Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.2' (RSA) to the list of known hosts. Connection closed by 10.0.1.2 > ssh te@10.0.1.2 te@10.0.1.2's password: Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic x86_64) |
Now to change to not using our password. We need to copy our RSA public key to the server in some secure way. According to the sshd_config file, the "authorized keys file" is
%h/.ssh/authorized_keys. That's in my home directory. I do:
> scp ~/.ssh/id_rsa.pub te@10.0.1.2:~/.ssh/authorized_keys te@10.0.1.2's password: id_rsa.pub 100% 260 0.3KB/s 00:00 te@VB:~$ logout Connection to 10.0.1.2 closed. > ssh te@10.0.1.2 Identity added: /Users/telliott_admin/.ssh/id_rsa (/Users/telliott_admin/.ssh/id_rsa) Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Sun Aug 28 14:35:49 2011 from osxserver.local te@VB:~$ |
Now, finally, be sure to turn off password authentication for the ssh server:
PasswordAuthentication no. At first, I'm not being prompted for a password to retrieve my public key on the server.. just getting automatically logged in by:ssh te@10.0.1.2 |
I forgot to do:
ChallengeResponsePasswords yes sudo /etc/init.d/ssh restart |
Restart and I get the challenge.. Although it is apparently cached sometimes. Looks like it works.
