Create a new user and allow ssh access

useradd -g group_name nyeates
passwd nyeates
su - nyeates
cd $HOME/.ssh/authorized_keys # paste public key in this file
 
/etc/ssh/sshd_config # important directory for ssh settings

Setup remote SSH keypair connection

This explains how to setup SSH key authentication to remote unix servers. Basically you can SSH into a shell without having to remember the password. The remote server has your public key, and your local machine has the matching private key. The remote server can verify you are legit by seeing if the public key it has, matches the private key that you keep secret.

1) Make a new SSH keypair (public & private)

  •  ssh-keygen -b 1024
    • makes ~/.ssh/id_rsa and id_rsa.pub
    • Can also use option -b 2048 for longer, more secure keys

2) See public key

  • cat ~/.ssh/*.pub

3) Give public key to server you want access to

Get file to server's authorized_keys file

  • Method 1: Secure copy it over
    • scp ~/.ssh/id_rsa.pub remoteuser@remotehost:~/
      ssh remoteuser@remotehost
      cat id_rsa.pub >> ~/.ssh/authorized_keys
      rm id_rsa.pub
      exit
       
      ssh remoteuser@remotehost (no password needed now!)
  • Method 2: Copy/paste it over
    • login to remote server (ssh)
    • nano authorized_keys
    • add pub key to new line (from cat above)

Howto also located at: http://www.debuntu.org/ssh-key-based-authentication

More Information

Using the config file for easy access

Following allows a shortcut of ssh lms to be used

In your ~/.ssh/ directory create or edit the config file

Host lms*
        User admin
        KeepAlive yes
        Hostname lms.yeates.com
        IdentityFile ~/awsnickkey.pem

http://linux.die.net/man/5/ssh_config

Reverse tunnel

ssh -R 5501:localhost:22 customer@bastion.host.com
  • Port forward anything that comes into 5501 on bastion, to 22 on local that this command is run from
  • customer is a special account for others connecting in; it is an acct on the bastion server
ssh nyeates@bastion.host.com
ssh -v -p 5501 remoteuser@localhost
OR
ssh -v -p 5501 '-L*:23502:localhost:80' remoteuser@localhost
  • Connect to bastion and then to customer
  • Second and third commands are to be run from bastion.host.com
  • Third command forwards requests from the service providers local machine, through bastions 23502, and to the remoteusers port 80 (web). This way you can see a web interface that is exposed on the client side.
http://bastion.host.com:23502/
  • See the remoteusers web interface

Sudo access for other user

edit /etc/sudoers as root and add the following line:

nyeates ALL=(zenoss) NOPASSWD: ALL

It will allow the zenoss user to run any command as user zenoss, without a password prompt.

 
technology/unix/ssh_key_auth.txt · Last modified: 05.25.2010 10:09 by nyeates1
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki