Ssh: Difference between revisions
(h) |
|||
| Line 2: | Line 2: | ||
There are two requirements for remote access via ssh. | There are two requirements for remote access via ssh. | ||
# the file /etc/security/access.conf contains a line for your username | # the file /etc/security/access.conf contains a line for your username<br><tt>+ : p123456 : ALL</tt> | ||
# the public part of your ssh key is stored in <tt>~/.ssh/authorized_keys</tt> | # the public part of your ssh key is stored in <tt>~/.ssh/authorized_keys</tt> | ||
Revision as of 14:46, 15 April 2015
Summary
There are two requirements for remote access via ssh.
- the file /etc/security/access.conf contains a line for your username
+ : p123456 : ALL - the public part of your ssh key is stored in ~/.ssh/authorized_keys
Howto add yourself to /etc/security/access.conf
If the command id tells you that you are a member of the localadmin group then you can edit the file with your favorite text editor. Otherwise you need to contact us at mailto:lwp@rug.nl.
Howto get and manage your ssh keys
You can generate an ssh keypair with the command:
$ ssh-keygen
See the manual for more options. Make sure to passphrase protect your private key. The command will tell you where it created the keys. Now copy the public part of the key into your ~/.ssh/authorized_keys file. Assuming you choose to use the ssh-keygen -t dsa command and used the defaults do:
$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys
Now all that is left todo is to use a thumbdrive or encrypted email or some other method to get the private key (~/.ssh/id_dsa) into your other computer. If the other computer uses Linux or OSX then store the file in ~/.ssh/ and it will be picked up automatically when you use the ssh command to connect. If you use Windows and PUTTY command for ssh you can import the key through the PUTTYGen key manager. Note you can also generate the keypair on your other computer and import the public part of the key into your LWP. It is then safe to use unencrypted e-mail.
FAQ
- I still get asked for a password?
Yes this happens after a reboot of your LWP and you have not logged in ate least once. It can also happen if you have not used your computer for a week. Just try again and you will see that this time it will let you in using your ssh key only.
- So how does this work?
When you login you get a kerberos ticket which gives you access to a number of services (like reading your homedirectory) withoutprompting you for a password everytime. The kerberos ticket is valid for one day initially, but will be extended automatically for upto one week. It will also reinitialize when you type your password (eg. to unlock your screen). If you reboot your computer or purposefully destroy your Kerberos ticket, you do not have access to your homedir anymore and so the ssh command cannot find your publick key in the authorized_keys file. It will ask for a password, but unfortunately it will not try to look again for the public key. So access will be denied. However if you try again (anytime in the next week) things will work.
- Can I get access from anywhere?
yes with your p-number you can get access from anywhere.