> - create your users key pair on your workstation
^^^^^
user's
It may seem like a nitpick, but the plural form could almost make sense
and mean soimething else, for someone who doesn't know anything about
the subject.
> ssh-keygen -t dsa -b 1024
"-b 1024" is the default (if not the only valid value, according to the
manpage) for DSA, so you can drop it.
> - copy the public key securely to your destination server and put it
> in ~/.ssh/authorized_keys2
Say explicitly ~/.ssh/id_dsa.pub and say *how* to put in the file.
BTW, I recommend you use ~/.ssh/authorized_keys without the 2: it's the
canonical name and "man authorized_keys" works whereas "man
authorized_keys2" doesn't.
> - don't forget to set the correct permissions (number one reason why
> this does not work)
> chmod 700 ~/.ssh
> chmod 600 ~/.ssh/authorized_keys2
AFAIK, authorized_keys doesn't need to be 600 (mine is 644 and seems to
work just fine). The best way to get the right permissions on .ssh is
to not make it yourself but let SSH create it for you. A good way to
create it is to do "ssh-keygen -t dsa". There's no reason not to create
such a key-pair on every one of your machines.
> - in sshd_config set:
> PasswordAuthentication no
It's unlikely that your user's working directory will be /etc/ssh at
this point, so better say explicitly /etc/ssh/sshd_config. Of course,
this needs to be done as root, which you may want to mention as well.
> - restart ssh
Say how. On my Debian machines it's "/etc/init.d/ssh restart", but
I don't know how universal this is (IIRC it's been
/etc/init.d/ssh-server or /etc/init.d/openssh or something at some point
in the past).
> Finally, now that you know what user you will always be using to login
> to your server, make sure ONLY that user can ever login. This is a
> little more drastic and can have some evil side affects, but I will
^^^^^^^
effects
-- Stefan
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
