====== Create a new user and allow ssh access ======
<code bash>
useradd -g group_name nyeates
passwd nyeates
su - nyeates
cd $HOME/.ssh/authorized_keys # paste public key in this file

/etc/ssh/sshd_config # important directory for ssh settings
</code>

====== Setup remote SSH keypair connection ======
This explains how to setup SSH key authentication to remote unix servers. Basically you can SSH into a shell without having to remember the password. The remote server has your public key, and your local machine has the matching private key. The remote server can verify you are legit by seeing if the public key it has, matches the private key that you keep secret.

===== 1) Make a new SSH keypair (public & private) =====
  * <code bash> ssh-keygen -b 1024</code> 
    * makes ~/.ssh/id_rsa and id_rsa.pub
    * Can also use option -b 2048 for longer, more secure keys

===== 2) See public key =====
  * <code bash>cat ~/.ssh/*.pub</code>

===== 3) Give public key to server you want access to =====

==== Get file to server's authorized_keys file ====
  * Method 1: Secure copy it over
    * <code bash>
scp ~/.ssh/id_rsa.pub remoteuser@remotehost:~/
ssh remoteuser@remotehost
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub
exit

ssh remoteuser@remotehost (no password needed now!)
</code>
  * Method 2: Copy/paste it over
    * login to remote server (ssh)
    * <code bash>nano authorized_keys</code>
    * add pub key to new line (from cat above)

Howto also located at: http://www.debuntu.org/ssh-key-based-authentication



====== More Information ======

===== Using the config file for easy access =====
Following allows a shortcut of ''ssh lms'' to be used

In your ~/.ssh/ directory create or edit the ''config'' file
<code bash>
Host lms*
        User admin
        KeepAlive yes
        Hostname lms.yeates.com
        IdentityFile ~/awsnickkey.pem
</code>

http://linux.die.net/man/5/ssh_config

===== Reverse tunnel =====
<code bash>
ssh -R 5501:localhost:22 customer@bastion.host.com
</code>
  * Port forward anything that comes into 5501 on bastion, to 22 on local that this command is run from
  * customer is a special account for others connecting in; it is an acct on the bastion server

<code bash>
ssh nyeates@bastion.host.com
ssh -v -p 5501 remoteuser@localhost
OR
ssh -v -p 5501 '-L*:23502:localhost:80' remoteuser@localhost
</code>
  * Connect to bastion and then to customer
  * Second and third commands are to be run from bastion.host.com
  * Third command forwards requests from the service providers local machine, through bastions 23502, and to the remoteusers port 80 (web). This way you can see a web interface that is exposed on the client side.

<code html>
http://bastion.host.com:23502/
</code>
  * See the remoteusers web interface

===== Sudo access for other user =====
edit ''/etc/sudoers'' as root and add the following line:

<code>
nyeates ALL=(zenoss) NOPASSWD: ALL
</code>

It will allow the zenoss user to run any command as user zenoss, without a password prompt.