HPUX : Generation and Distribution of SSH KEY

Machine1 (user1) wants to login Machine2 (user2) without password.

To configure public-key authentication, follow these steps:

1.      To generate RSA key pairs, run the following command on the Machine1 as user1:

#  mkdir  ~/.ssh

#  ssh-keygen -t rsa

2.      The following output is displayed:

Generating public/private rsa key pair. Enter file in which to save the key (//.ssh/id_rsa):<Press Enter> Enter passphrase (empty for no passphrase): <Press Enter> Enter same passphrase again: <Press Enter> Your identification has been saved in /tmp/hi. Your public key has been saved in /tmp/hi.pub. The key fingerprint is: 84:7d:f5:dd:88:f7:53:88:8a:6e:f7:85:04:28:6e:ed root@<hostname>

4.  

5.      HP-UX Secure Shell generates the key pairs id_rsa and id_rsa.pub and stores them in the $HOME/.ssh directory on the Machine1 system.

6.      Set the following configuration directive in the /opt/ssh/etc/sshd_config configuration file on the Machine1 system:

PubkeyAuthentication yes

8.  

9.      To ensure that the permissions of the home directory of the Machine1, the $HOME/.ssh directories, and all files under the $HOME/.ssh directory match the permissions listed in Table 4-2, run the following commands:

10.  

# ll -d $HOME # ll -d $HOME/.ssh #ll $HOME/.ssh/

11.  Table 4-2 lists the specific permissions for these files and directories.

12.  Table 4-2 Permissions for the Machine1 Files and Directories

File/Directory	Permissions
$HOME (home directory)	drwx------    or drwxr-xr-x
$HOME/.ssh	drwx------   or drwxr--r--
$HOME/.ssh/id_rsa and id_dsa	-rw-r--r--    or -rw------
$HOME/.ssh/id_rsa.pub and id_dsa.pub	-rw-r--r-- or -rw------
$HOME/.ssh/config	-rwx------

· 
#mkdir ~/.ssh  [Run this command in Machine2 as user2]
Now the below commands in Machine1 as user1:
#cat $HOME/.ssh/id_dsa.pub |ssh  user2@Machine2  ‘cat - >> $HOME/.ssh/authorized_keys

The following output is displayed:

The authenticity of host ’remoteuser.remotehost (15.70.189.130)’ can’t be established RSA key fingerprint is 2a:c9:77:ad:d5:d3:ef:c3:1e:12:12:9e:3a:9f:c0:38. Are you sure you want to continue connecting (yes/no)?

· Enter yes to continue with the connection. The following message is displayed:

Enter no if you do not want to continue with the connection.
·  To enable public-key authentication, set the following directive in the Machine2 configuration file /opt/ssh/etc/sshd_config:

PubkeyAuthentication yes

·  Set the directory and file permissions on the Machine2 as specified in Table 4-3.

Table 4-3 Permissions for the Machine2 Files and Directories

File/Directory	File Permission
$HOME (home directory)	drwx------    or drwxr-xr-x
$HOME/.ssh	drwx------   or drwxr--r--
$HOME/.ssh/authorized_keys and $HOME/.ssh/authorized_keys2	-rw-r--r--    or -rw------

	NOTE: The $HOME and $HOME/.ssh directories, and all the files in the $HOME/.ssh directories must be owned by the respective users whose home directories they are.

· To connect to the Machine2 (user2), run the following command in Machine1 as user1:

$ ssh Machine2

The Machine2 does not prompt for the password. The secure connection is established between the Machine2 and the Machine1.

In order to set up ssh to only accept login by public key and not interactive login, the following changes are needed to sshd_config

PermitRootLogin without-password

Change: (remove the # and save the file)
#PubkeyAuthentication yes
to
PubkeyAuthentication yes
You must restart the sshd daemon next to implement:

/sbin/init.d/secsh stop
/sbin/init.d/secsh start
Make sure you have placed a public key file from a system you want to login and tested it first or your access will be console, hands on the keyboard only. That can be a big problem on remote systems.