Procedure for Creating Transparent SSH Logins

Preconditions:

For this example, we will use the following names:


Local Workstation Username: luid
Local Workstation Hostname: lhost
Remote Host Username: ruid
Remote Host Hostname: rhost

The password tokens will be:

Local Workstation Key-Pair Passphrase: lwkpp Remote Host User Account Password: rhuap

Be sure to substitute the real usernames, hostnames, and passwords when performing this procedure.

Instrcutions

  1. At a command prompt in the $HOME directory of the user account on the local workstation, use the 'ssh-keygen' command to generate a key pair:
    	ssh–keygen –t dsa –b 2048 –f ~/.ssh/id_dsa
          
  2. Enter a [new] passphrase for the newly generated key. In this example, we use 'lwkpp' - in practice, a longer, more secure passphrase should be used. Note that, for SSH passphrases, all characters and punctuation are valid characters, so passphrases can be human language readable/recallable.

Note 1:  The ~/.ssh Directory

Typically any user account that uses OpenSSH to connect to other hosts will have a hidden directory called .ssh in the user's $HOME directory. The permissions on this hidden directory must be correctly set in order for SSH to function correctly. The only acceptable permission set for .ssh is 0700 – that is:  owner read/write/execute permissions only. Note that the files in the directory should be set to 0600, since the eXecute bit only needs to be set on the directory. If their are sub–directories under .ssh, those, too, will need the execute bit set (0700).

Either of the ssh commands – ssh or ssh­keygen – should craete the .ssh directory when run for the first time on the user’s account.

Otherwise, use the mkdir command to make diretories, and the chmod command to change permissions. See the system man pages for more about those commands [I.E. use the commands man mkdir and man chmod].


Note 2: The ssh-copy-id Script

Below (between the cut lines) is the source code of the 'ssh-copy-id' script provided by the OpenSuSE OpenSSH package. This script should work on most *nix systems where SSH is installed, and may work for Cygwin installs, as well.

The instructions below show the Bash command to perform the designated operation.

  1. Copy and paste the source from between the cut lines into a new file.
  2. Save the file as ssh­copy–id
  3. Mark the newly saved file as executable;
    	chmod +x ssh-copy-id
          
  4. Place the executable file in the users' path
          

    or

    	sudo cp ssh–copy–id /usr/bin/
          

    or even

    	sudo cp ssh–copy–id ~/bin/
          

    if you don't have sudo privileges.

Source code for ssh–copy–id:

    =====[cut here]=====
    #!/bin/sh

    # Shell script to install your identity.pub on a remote machine
    # Takes the remote machine name as an argument.
    # Obviously, the remote machine must accept password authentication,
    # or one of the other keys in your ssh-agent, for this to work.

    ID_FILE="${HOME}/.ssh/identity.pub"

    if [ "-i" = "$1" ]; then
      shift
      # check if we have 2 parameters left, if so the first is the new ID file
      if [ -n "$2" ]; then
        if expr "$1" : ".*\.pub" > /dev/null ; then
          ID_FILE="$1"
        else
          ID_FILE="$1.pub"
        fi
        shift         # and this should leave $1 as the target name
      fi
    else
      if [ x$SSH_AUTH_SOCK != x ] ; then
        GET_ID="$GET_ID ssh-add -L"
      fi
    fi

    if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
      GET_ID="cat ${ID_FILE}"
    fi

    if [ -z "`eval $GET_ID`" ]; then
      echo "$0: ERROR: No identities found" >&2
      exit 1
    fi

    if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
      echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
      exit 1
    fi

    { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1

    cat <<EOF
    Now try logging into the machine, with "ssh '$1'", and check in:

      .ssh/authorized_keys

    to make sure we haven't added extra keys that you weren't expecting.

    EOF
    =====[cut here]=====