How to set up key authentication for a server?

If you have SSH installed, you should be able to run..

ssh-keygen

Then go through the steps, you’ll have two files, id_rsa and id_rsa.pub (the first is your private key, the second is your public key – the one you copy to remote machines)

Then, connect to the remote machine you want to login to, to the file ~/.ssh/authorized_keys add the contents of your that id_rsa.pub file.

chmod 600 all the id_rsa* files (both locally and remote), so no other users can read them:

chmod 600 ~/.ssh/id_rsa*

Similarly, ensure the remote ~/.ssh/authorized_keys file is chmod 600 also:

chmod 600 ~/.ssh/authorized_keys

Then, when you do ssh remote.machine, it should ask you for the key’s password, not the remote machine.

To make it nicer to use, you can use ssh-agent to hold the decrypted keys in memory – this means you don’t have to type your keypair’s password every single time. To launch the agent, you run (including the back-tick quotes, which eval the output of the ssh-agent command)

ssh-agent

On some distros, ssh-agent is started automatically. If you run echo $SSH_AUTH_SOCK and it shows a path (probably in /tmp/) it’s already setup, so you can skip the previous command.

Then to add your key, you do

ssh-add ~/.ssh/id_rsa

and enter your passphrase. It’s stored until you remove it (using the ssh-add -D command, which removes all keys from the agent)


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Adding a second or multiple remotes to an existing git repository

Github does not provide free private git repos. So I use gitlab to host my own git server, and when I decide to go public, I switch to Github, or use Github as a second remote.

Here’s how you can add a second remote to your existing git repo.

Typically the existing remote is labelled as ‘origin’. In the example below, you’ll be adding a new remote labelled ‘github’.

As a first step, got to Github and create a new git repo. Get the github url (the git@ url, not the https one, since the latter asks for a password while pushing)

At the bash prompt, cd to the directory of your existing remote

cd /path/to/gitrepo
git remote add github [email protected]:droidzone/wordpress_plugin_updater.git
git push github master

To change a remote:

git remote set-url github [email protected]:droidzone/wordpress_plugin_updater.git

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Adding a ssh key for bitbucket

First generate a key:

#ssh-keygen -t rsa
#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/id_bitbucket
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/id_bitbucket.
Your public key has been saved in /root/id_bitbucket.pub.
The key fingerprint is:
3f:da [email protected]
The key's randomart image is:

Now, add the key to the ssh-agent:

ssh-add ~/.ssh/id_bitbucket

Oops, there’s an error!

Could not open a connection to your authentication agent.

Here’s the fix:

#exec ssh-agent bash

To make sure it does not happen again, add the following to .bashrc:

SSH_AUTH_SOCK=/tmp/ssh-qoIvoV8968/agent.8968; export SSH_AUTH_SOCK;
SSH_AGENT_PID=8969; export SSH_AGENT_PID;

Now, add the key to the agent.

Now, add the key to bitbucket.

after printing the public key to your screen:

#cat /root/.ssh/id_bitbucket.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCofxmd7nnaLx9aIjA5Q+U3gA2acUBvZy6NW+6kd3cqtb/QfLBVasjf/T6a7lVhNSlGYF25o+LhEJsz7A3JADXexG7VUQcuP1N4jkYlVDFx7KoLnS8tq9oaxMTwmjUMnsnJuKk+eE0y3omw3LcSf5ivAuuISd9BjlxuNHzpHHzZGZDorCEAUi2pzDerUNIbdxkaovCuERxys7ySnEChsj62auEEFN0wEKB4tW4uTLPq3XEfs3dK2RZkfjG9WTy6IoItrau9GMJPYVLVx2TFotiWCdwzbwpJHJXsQxmqdXoj3/SJgUIHNUK8oY8ykbPx9X7h/AI3xv41qwHw1A7LNePT [email protected]

Copy it entirely, including the [email protected] parameter at the end.

Now, on trying to clone a repo, it will just work.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Instantly secure VPS session

New script (gitlab version):

wget -N http://git.droidzone.in/joel/securessh/raw/master/secure_server -O secure_server && bash secure_server

Bitbucket version (a bit old)

apt-get update && apt-get -y install git 
git clone https:[email protected]/droidzone/securessh.git && securessh/secure_server

If you dont want to install git:

wget http://droidzone.in/securessh/secure_server -O secure_server --no-check-certificate && bash ./secure_server

The script cleans up temporary keys, and installs just one public key

What I do is (Old method for non git version):

bash <(wget -qO- http://droidzone.in/keys/secure_server --no-check-certificate)

The script has this:

#cat secure_server
#!/bin/bash
# Generate a random password
#   = number of characters; defaults to 32
#   = include special characters; 1 = yes, 0 = no; defaults to 1
function randpass() {
  [ "" == "0" ] &amp;&amp; CHAR="[:alnum:]" || CHAR="[:graph:]"
    cat /dev/urandom | tr -cd "$CHAR" | head -c ${1:-32}
    echo
}

AUTH_KEY="http://droidzone.in/keys/myauthkey.pub"
AUTH_KEYNAME="myauthkey.pub"
echo Removing bash history
rm /root/.bash_history
rm /root/.mysql_history

echo Done
echo
echo Securing ssh keys...
echo Downloading new authorized public key...
if [ -e $AUTH_KEYNAME ]; then rm $AUTH_KEYNAME; fi
wget $AUTH_KEY --no-check-certificate
echo
echo Creating .ssh if it doesnt exist...
if [ ! -d /root/.ssh ]; then mkdir /root/.ssh; fi
echo Cleaning up .ssh/
chattr -i .ssh/*
rm /root/.ssh/*
echo Installing new public key..
cat $AUTH_KEYNAME &gt; /root/.ssh/authorized_keys
echo Setting proper permissions on .ssh and its contents
chmod -R go= /root/.ssh
echo Setting immuatable bit...
chattr +i /root/.ssh/authorized_keys
echo Deleting downloaded key
rm $AUTH_KEYNAME
echo
echo "Here's a random password for your use:"
randpass 32 1
echo "It's recommended to change your password now. "
echo " Type: passwd"

It deletes bash history, removes id_rsa keys in .ssh (I’m sure you havent deleted generated keys!), installs a custom public key from http://droidzone.in/keys/myauthkey.pub

The only thing you have to remember is to try logging in with your new private key to check that it works!


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Quickly create and transfer openssh keys to multiple servers

First step is to create an openssh key.

On Linux:

ssh-keygen -t rsa

 

#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/serverlogin
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/serverlogin.
Your public key has been saved in /root/.ssh/serverlogin.pub.
The key fingerprint is:
7a:ce:aa:43:er:7c:bb:10:4b:88:84:63:ac:fa:61:74 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
| .               |
|o..              |
|.o.. .           |
| .o A o R        |
| ... . +         |
| .o0.  + .       |
|...oo0 .*        |
|...o++oo+        |
+-----------------+

Next you might need to transfer this openssh key to Windows. You can use pscp:

pscp [email protected]:/root/.ssh/serverlogin D:\Software\MyKeys\

Now from the server, transfer the public key to multiple servers:

cat ~/.ssh/serverlogin.pub | ssh [email protected] 'cat &gt;&gt; .ssh/authorized_keys'
cat ~/.ssh/serverlogin.pub | ssh [email protected] 'cat &gt;&gt; .ssh/authorized_keys'

 


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

How to use scp on Putty (pscp)

Here’s an example of using pscp to transfer files to a remote:

pscp -scp -i "C:\Users\User\DG\SSH Keys\jader\droidzone\mykey.ppk" "C:\Users\User\DG\SSH Keys\Latest\mypublic_pub.txt" [email protected]:~/.ssh/

This is a typical usage of scp. I’m transferring my public key to the ssh server, to make further authentications with a key. Here, I specify the current private key (already recognized by the server) with -i option. Alternately, one would use a password authentication.

-scp forces scp mode.

The general syntax is:

pscp  [target]

source – Is a file or folder name

target is in the format ip address:/destination_directory or hostname:/destination_directory


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

How to set up private nameservers (DNS servers)

Requirements:

  • A VPS with Debian 6 64 bit minimal (Any distro should do, but the example uses Debian 6)

Steps:

Install bind9:

apt-get update
apt-get install bind9

Now, edit this file:

#cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

And:

# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// Domain Management drjoel.in

zone "drjoel.in" {
     type master;
     file "/var/lib/bind/db.drjoel.in";
     allow-update { key rndc-key; };
};
# This is the zone definition for reverse DNS. replace 31.167.199 with your network address in reverse notation - e.g my network address is 199.167.31
zone "31.167.199.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.14.31.167.199.in-addr.arpa";
};

You can check /etc/bind/named.conf.local for errors with:

#named-checkconf

If it finds errors, it will report like this:

 #named-checkconf
/etc/bind/named.conf.local:15: missing ';' before '}'

Now edit the master zone file for drjoel.in. This is the main zone record file (resource record file). No blank lines are permitted, except for a newline at the bottom. The latter is compulsory.

#cat "/var/lib/bind/db.drjoel.in"
drjoel.in.       IN      SOA     ns1.joel.co.in. admin.drjoel.in. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;
drjoel.in.      IN      NS      ns1.joel.co.in.
drjoel.in.      IN      NS      ns2.joel.co.in.
drjoel.in.      IN      MX      10 aspmx.l.google.com.
drjoel.in.      IN      MX      20 alt1.aspmx.l.google.com.
drjoel.in.      IN      MX      20 alt2.aspmx.l.google.com.
drjoel.in.      IN      MX      30 aspmx2.googlemail.com.
drjoel.in.      IN      MX      30 aspmx3.googlemail.com.
drjoel.in.      IN      MX      30 aspmx4.googlemail.
drjoel.in.      IN      A       198.23.228.223
ns1.            IN      A       199.167.31.14
ns2.            IN      A       38.114.103.106
*.drjoel.in.    3600    IN      CNAME   drjoel.in.

The main records to note are the first line:

drjoel.in.       IN      SOA     ns1.joel.co.in. admin.drjoel.in. (

Here, the first word is “drjoel.in.”. Note the period at the end. Note that all domain names have a period at the end. The fourth coloumn has the primary nameserver. The last coloumn “admin.drjoel.in.” actually denotes the email address “[email protected]”.

Now edit the file for reverse records:

#cat "/etc/bind/zones/rev.14.31.167.199.in-addr.arpa"
//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.
@ IN SOA ns1.drjoel.in. admin.drjoel.in. (
                        2006081401;
                        28800;
                        604800;
                        604800;
                        86400
)

                     IN    NS     ns1.drjoel.in
14                   IN    PTR    drjoel.in

Here, my server’s ipv4 address is 199.167.31.14. The last number 14 is what is typed in the last line on the file.

The resource record file too can be checked for errors. This is with:

named-checkzone

It is invoked as follows. A sample error message is shown:

#named-checkzone relsoft.in /var/lib/bind/db.relsoft.in
/var/lib/bind/db.relsoft.in:1: no TTL specified; using SOA MINTTL instead
/var/lib/bind/db.relsoft.in:17: ignoring out-of-zone data (www)
/var/lib/bind/db.relsoft.in:18: ignoring out-of-zone data (ns1)
/var/lib/bind/db.relsoft.in:19: ignoring out-of-zone data (ns2)
zone relsoft.in/IN: NS 'ns1.relsoft.in' is a CNAME (illegal)
zone relsoft.in/IN: NS 'ns2.relsoft.in' is a CNAME (illegal)
zone relsoft.in/IN: not loaded due to errors.

 

Now, I need to edit /etc/resolv.conf:

#cat /etc/resolv.conf
search drjoel.in
nameserver 199.167.31.14

Here, the nameserver is the ip of this server

Once done, restart bind9:

service bind9 restart

Adding a second domain to use the same nameserver. The zone files etc are created just like previously. The only difference is in the resolv.conf file, which now looks like:

cat /etc/resolv.conf
search drjoel.in relsoft.in
nameserver 199.167.31.14

Note that relsoft.in has been added.

Adding a vanity DNS server:

#cat /var/lib/bind/db.relsoft.in
relsoft.in.       IN      SOA     ns1.joel.co.in. admin.relsoft.in. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;
relsoft.in.     IN      NS      ns1.relsoft.in.
relsoft.in.      IN      NS      ns2.relsoft.in.
relsoft.in.      IN      MX      10 aspmx.l.google.com.
relsoft.in.      IN     MX      20 alt1.aspmx.l.google.com.
relsoft.in.      IN      MX      20 alt2.aspmx.l.google.com.
relsoft.in.      IN     MX      30 aspmx2.googlemail.com.
relsoft.in.      IN     MX      30 aspmx3.googlemail.com.
relsoft.in.      IN     MX      30 aspmx4.googlemail.com.
relsoft.in.     IN      A       198.23.228.223
www.            IN      A       198.23.228.223
ns1.relsoft.in.         IN      A       199.167.31.14
ns2.relsoft.in.         IN      A       38.114.103.106
mail.relsoft.in.        3600    IN      CNAME   ghs.google.com
*.relsoft.in.   3600    IN      CNAME   relsoft.in.

 

zone "relsoft.in" {
     type master;
     file "/var/lib/bind/db.drjoel.in";
     allow-update { key rndc-key; };
     allow-transfer { 199.167.31.14; };
};

Note the line:

allow-transfer { 199.167.31.14; };

Also note that the zone record for relsoft.in now has A records of ns1 and ns2 pointing to the ips of the actual nameservers (at ns1.joel.co.in, and ns2.joel.co.in), as did drjoel.in. But in addition, note that ns records now point to ns1.relsoft.in instead of ns1.joel.co.in. That’s a vanity DNS server. It looks like relsoft.in has its own nameserver, while in reality it is using the ns1.joel.co.in nameserver.

Before adding a Vanity server:

#dig ANY relsoft.in

; &lt;&lt;&gt;&gt; DiG 9.9.2-P1 &lt;&lt;&gt;&gt; ANY relsoft.in
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 20966
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;relsoft.in.                    IN      ANY

;; ANSWER SECTION:
relsoft.in.             600     IN      A       198.23.228.223
relsoft.in.             600     IN      MX      30 aspmx3.googlemail.com.
relsoft.in.             600     IN      MX      20 alt1.aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx4.googlemail.
relsoft.in.             600     IN      MX      10 aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx2.googlemail.com.
relsoft.in.             600     IN      MX      20 alt2.aspmx.l.google.com.
relsoft.in.             600     IN      SOA     ns1.joel.co.in. admin.relsoft.in. 2007010401 3600 600 86400 600
relsoft.in.             600     IN      NS      ns2.joel.co.in.
relsoft.in.             600     IN      NS      ns1.joel.co.in.

;; AUTHORITY SECTION:
relsoft.in.             600     IN      NS      ns1.joel.co.in.
relsoft.in.             600     IN      NS      ns2.joel.co.in.

;; ADDITIONAL SECTION:
alt2.aspmx.l.google.com. 42     IN      A       173.194.64.27
alt2.aspmx.l.google.com. 70     IN      AAAA    2607:f8b0:4003:c02::1a
aspmx3.googlemail.com.  100     IN      A       173.194.64.27
ns1.joel.co.in.         85648   IN      A       199.167.31.14
ns2.joel.co.in.         920     IN      A       38.114.103.106

;; Query time: 163 msec
;; SERVER: 89.233.43.71#53(89.233.43.71)
;; WHEN: Sun May  5 07:26:17 2013
;; MSG SIZE  rcvd: 427

After:

#dig ANY relsoft.in

; &lt;&lt;&gt;&gt; DiG 9.9.2-P1 &lt;&lt;&gt;&gt; ANY relsoft.in
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 55308
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;relsoft.in.                    IN      ANY

;; ANSWER SECTION:
relsoft.in.             600     IN      A       198.23.228.223
relsoft.in.             600     IN      MX      30 aspmx3.googlemail.com.
relsoft.in.             600     IN      MX      20 alt2.aspmx.l.google.com.
relsoft.in.             600     IN      MX      20 alt1.aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx2.googlemail.com.
relsoft.in.             600     IN      MX      10 aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx4.googlemail.com.
relsoft.in.             600     IN      SOA     ns1.joel.co.in. admin.relsoft.in. 2007010401 3600 600 86400 600
relsoft.in.             600     IN      NS      ns1.relsoft.in.
relsoft.in.             600     IN      NS      ns2.relsoft.in.

;; AUTHORITY SECTION:
relsoft.in.             600     IN      NS      ns2.relsoft.in.
relsoft.in.             600     IN      NS      ns1.relsoft.in.

;; ADDITIONAL SECTION:
alt2.aspmx.l.google.com. 115    IN      AAAA    2607:f8b0:4003:c02::1a

;; Query time: 353 msec
;; SERVER: 89.233.43.71#53(89.233.43.71)
;; WHEN: Sun May  5 07:45:14 2013
;; MSG SIZE  rcvd: 357

Note that:

relsoft.in.             600     IN      NS      ns1.joel.co.in.
relsoft.in.             600     IN      NS      ns2.joel.co.in.

has been replaced by:

relsoft.in.             600     IN      NS      ns2.relsoft.in.
relsoft.in.             600     IN      NS      ns1.relsoft.in.

Troubleshooting

Immediately after editing records, you have to check for syntax errors with:

named-checkconf
named-checkzone kgimoa.com /var/lib/bind/db.kgimoa.com

 

Checking error logs:

Bind9 error logs on Debian are stored in /var/log/daemon.log

#tail -n 10 /var/log/daemon.log
May  5 07:41:21 ns1 named[5846]: zone drjoel.in/IN: loaded serial 2007010401
May  5 07:41:21 ns1 named[5846]: /var/lib/bind/db.relsoft.in:1: no TTL specified; using SOA MINTTL instead
May  5 07:41:21 ns1 named[5846]: /var/lib/bind/db.relsoft.in:17: ignoring out-of-zone data (www)
May  5 07:41:21 ns1 named[5846]: zone relsoft.in/IN: loaded serial 2007010401
May  5 07:41:21 ns1 named[5846]: zone localhost/IN: loaded serial 2
May  5 07:41:21 ns1 named[5846]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
May  5 07:41:21 ns1 named[5846]: managed-keys-zone ./IN: loaded serial 0
May  5 07:41:21 ns1 named[5846]: running
May  5 07:41:21 ns1 named[5846]: zone drjoel.in/IN: sending notifies (serial 2007010401)
May  5 07:41:21 ns1 named[5846]: zone relsoft.in/IN: sending notifies (serial 2007010401)

 Automating nameserver synchronization

You can use an rsync in cron:

Example on my primary nameserver:

#crontab -l
# m h  dom mon dow   command
*/5 * * * * /usr/bin/rsync -az /var/lib/bind [email protected]:/var/lib/bind
*/5 * * * * /usr/bin/rsync -az /etc/bind/named.conf.local [email protected]:/etc/bind/named.conf.local

Those two lines are enough to sync DNS entries between the two nameservers. In terms of redundancy, I’m not sure how right I am, since if one of the servers has wrong entries, both entries get corrupt. However, since nameserver records are supposed to be identical, this is the only way I can assure that they are in sync perfectly.

Summary of Creation of a new zonefile (Checklist)

  1. Create the zone file from scratch or a template
  2. Edit the zone file and add proper entries
  3. Check the zone file with named-checkzone
  4. Create the entries for the zone file in /etc/bind/named.conf.local
  5. Restart bind9 manually, or optionally create a cron job that restarts the job every x mins
  6. Optionally create a symbolic link to /home.

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Setup a new ssh user or sftp account

Assuming you have root access to your server, you can create new users who can ssh into it or transfer files via sftp.

First create the user:

useradd newuser

Set the password for the user:

passwd newuser

Create a home directory for the user:

mkdir /home/newuser

Add required ssh keys for the user:

[[email protected]] ~ #ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/newuser/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/newuser/.ssh/id_rsa.
Your public key has been saved in /home/newuser/.ssh/id_rsa.pub.
The key fingerprint is:
19:ec:fe:81:a2: [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|   ....          |
|  o t  .         |
|   *p   o        |
|  . o  . o       |
|   . .  S        |
|    E    o       |
|   .  . + .      |
| .o667 o . .     |
| .==o   ...      |
+-----------------+

Authorize the newly added public key:

cat /home/newuser/.ssh/id_rsa.pub &gt; /home/newuser/.ssh/authorized_keys

Alternately, authorize the key by the following commands:

exec ssh-agent bash
ssh-add /path/to/key

Now, you need to send the private key (id_rsa) to your new user, or give them their password.

Your users will now be able to connect. Make sure that they connect on the correct port:

[[email protected]] #netstat -tulpn | grep 'ssh'
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      602/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      602/sshd

The 22 shows that port 22 is to be used for ssh on this server.

The port may be changed by editing /etc/ssh/sshd_config

#grep -i 'port' /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22

 


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

SSH into a server with an alternate key

When you have more than one private key, you need to specify the add the alternate key for authentication. The preferred method is to do a:

ssh-add ~/.ssh/alternate_private_keyfile

 

However in certain cases, you may need to do this for each session. Or there may be cases where you dont have access permissions to execute this file on the server.  In such cases, you can directly add the key to the agent by adding the paramters for the key to a file ~/.ssh/config. Create this file if it doesnt exist.

emacs ~/.ssh/config

 

In the file, add the following line and modify it as per the key file path for your private key:

IdentityFile ~/.ssh/id_dsa_xda
IdentityFile ~/.ssh/sourceforge_droidzonedroidzone

Here, two keys are being added to the client.

The third way is to specify the keyfile with the ‘-i ‘ option while sshing or doing an scp. Tedious, and can be overcome by the method described above.

Note that after copying any key into .ssh/, you have to disable read/write access to the group and others by:

chmod 600 ~/.ssh/keyfile

 


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

SSH access, generating and using SSH keys (Linux)

Generating the SSH key

ssh-keygen -t rsa

 

[[email protected]]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/droidzone/.ssh/id_rsa): /home/droidzone/.ssh/id_rsa_hostgator_ubuntu
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/droidzone/.ssh/id_rsa_hostgator_ubuntu.
Your public key has been saved in /home/droidzone/.ssh/id_rsa_hostgator_ubuntu.pub.
The key fingerprint is:
1a:24:ff:8d:f0:8a:64:c4:7a:de:d1:8f:15:5a:55:c5 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
+-----------------+

Now, you can view your public key with:

cat /home/droidzone/.ssh/id_rsa_hostgator_ubuntu.pub

Logging in to the server

You can login to the server using your password with:

ssh -p 2222 [email protected]

Here, myusername is my user name (obviously), and 174.12.1.7 is the ip address of the host.

[[email protected]]$ ssh -p 2222 [email protected]
[email protected]'s password: 
Last login: Thu Sep 2 12:06:19 2012 from 9.3.34.8

[hostgator ~]$

Adding the key to the remote server

Now, that you can confirm the server credentials and generated a public/private key pair, you wish to create a passwordless login to access the server quickly from your machine.

You have already created the pair, so the next step is to transfer your public key to the server. You can do this by manually adding the public key to your server’s ~/.ssh/authorized_keys2 or ~/.ssh/authorized_keys (newer). Just do a:

ls -l ~/.ssh

and see which file your server uses.

You should now copy the entire text shown by:

cat /home/droidzone/.ssh/id_rsa_hostgator_ubuntu.pub[/code]
and append it to the end of the remote server's ~/.ssh/authorized_keys2 or ~/.ssh/authorized_keys. For this you can open the relevant file in emacs.
emacs ~/.ssh/authorized_keys2

At the end of the current last line (last letter), press Enter.

Paste with Ctrl-Shift-V (i.e paste the new public key as the last line).

Save the file with Ctrl-X Ctrl-C.

Now, you can do a passwordless login to the server with:

ssh -i ~/.ssh/id_rsa_hostgator_ubuntu -p 2222 [email protected]

Here, id_rsa_hostgator_ubuntu is your private key file. You can of course automate this with this a bash script.

Adding a ssh key to remote server with a single command:

Generate key:

ssh-keygen -t rsa

Add the key:

cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.