Stefan Monnier wrote: >> - create your users key pair on your workstation >> > ^^^^^ > user's > > It may seem like a nitpick, but the plural form could almost make sense > and mean soimething else, for someone who doesn't know anything about > the subject. > > >> ssh-keygen -t dsa -b 1024 >> > > "-b 1024" is the default (if not the only valid value, according to the > manpage) for DSA, so you can drop it. > > >> - copy the public key securely to your destination server and put it >> in ~/.ssh/authorized_keys2 >> > > Say explicitly ~/.ssh/id_dsa.pub and say *how* to put in the file. > BTW, I recommend you use ~/.ssh/authorized_keys without the 2: it's the > canonical name and "man authorized_keys" works whereas "man > authorized_keys2" doesn't. > > >> - don't forget to set the correct permissions (number one reason why >> this does not work) >> chmod 700 ~/.ssh >> chmod 600 ~/.ssh/authorized_keys2 >> > > AFAIK, authorized_keys doesn't need to be 600 (mine is 644 and seems to > work just fine). The best way to get the right permissions on .ssh is > to not make it yourself but let SSH create it for you. A good way to > create it is to do "ssh-keygen -t dsa". There's no reason not to create > such a key-pair on every one of your machines. > > >> - in sshd_config set: >> PasswordAuthentication no >> > > It's unlikely that your user's working directory will be /etc/ssh at > this point, so better say explicitly /etc/ssh/sshd_config. Of course, > this needs to be done as root, which you may want to mention as well. > > >> - restart ssh >> > > Say how. On my Debian machines it's "/etc/init.d/ssh restart", but > I don't know how universal this is (IIRC it's been > /etc/init.d/ssh-server or /etc/init.d/openssh or something at some point > in the past). > > >> Finally, now that you know what user you will always be using to login >> to your server, make sure ONLY that user can ever login. This is a >> little more drastic and can have some evil side affects, but I will >> > ^^^^^^^ > effects > > -- Stefan > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca >
When it comes top copying keys, I use ssh-copy-id. Works great and make sure filenames and permissions are correct on the receiving side. Example: ssh-copy-id -i ~/.ssh/id_rsa.pub remoteservername David f. _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
