Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Where do you run ssh-keygen, server or client. (http://www.linux-archive.org/debian-user/103214-where-do-you-run-ssh-keygen-server-client.html)

Nathaniel Homier 06-09-2008 09:38 AM

Where do you run ssh-keygen, server or client.
 
I have 1 desktop computer (we will call it son) and it runs a ssh
server. When I visit my mothers house I would like to be able to access
(son) from my mothers computer (we will call it mom). I have setup the
ssh server on (son) to use key based authentication. Now the question
is, do I run ssh-keygen on (son) or on (mom)? What I have done is, on
(son) is to:

$ssh-keygen -t dsa
$cd .ssh
$cat id_dsa.pub >> ~/.ssh/authorized_keys

I assume I take my id_dsa.pub to (mom) and hook it up with the latest
Filezilla version and Putty? Or do I do the ssh-keygen on (mom) and add
the "id_dsa.pub" to (son)"~/.ssh/authorized_keys?

Son Etch
Mom Windows XP Pro

Nate


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Jochen Schulz 06-09-2008 09:59 AM

Where do you run ssh-keygen, server or client.
 
Nathaniel Homier:
>
> I have 1 desktop computer (we will call it son) and it runs a ssh
> server. When I visit my mothers house I would like to be able to access
> (son) from my mothers computer (we will call it mom). I have setup the
> ssh server on (son) to use key based authentication. Now the question
> is, do I run ssh-keygen on (son) or on (mom)? What I have done is, on
> (son) is to:
> $ssh-keygen -t dsa
> $cd .ssh
> $cat id_dsa.pub >> ~/.ssh/authorized_keys

This only allows you to run 'ssh localhost' on son. You could use the
same key (id_dsa + id_dsa.pub) from any other computer and do the same
but I always generate a keypair per machine.

It doesn't matter where you generate the key. The important thing is to
put the contents of id_dsa.pub into the authorized_keys file on the
server.

J.
--
I am not scared of death but terrified of people in Tommy Hilfiger
sweatshirts.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>

"Alan Chandler" 06-09-2008 10:44 AM

Where do you run ssh-keygen, server or client.
 
Jochen Schulz wrote:
> Nathaniel Homier:
>>
>> I have 1 desktop computer (we will call it son) and it runs a ssh
>> server. When I visit my mothers house I would like to be able to access
>> (son) from my mothers computer (we will call it mom). I have setup the
>> ssh server on (son) to use key based authentication. Now the question
>> is, do I run ssh-keygen on (son) or on (mom)? What I have done is, on
>> (son) is to:
>> $ssh-keygen -t dsa
>> $cd .ssh
>> $cat id_dsa.pub >> ~/.ssh/authorized_keys
>
> This only allows you to run 'ssh localhost' on son. You could use the
> same key (id_dsa + id_dsa.pub) from any other computer and do the same
> but I always generate a keypair per machine.
>
> It doesn't matter where you generate the key. The important thing is to
> put the contents of id_dsa.pub into the authorized_keys file on the
> server.
To be clear, you also have to ensure the private part of the key (id_dsa)
is accessible by the client. This name of the file is defined in
/etc/ssh/ssh_config (and effectively defines ~/.ssh/id_dsa as the file).

You can also define a local name for a remote machine and non standard key
files - I regularly SSH into a server I am responsible for on the other
side of the world (melindasbackups.com), and you then put an entry in
~/.ssh/config

I access a host with

ssh mb

This is what is in my config file

Host mb
HostName melindasbackups.com
User melindas
IdentityFile ~/.ssh/melindas_ssh_access_key





--
Alan
(via webmail - means I am away from my computer)
http://www.chandlerfamily.org.uk



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Nathaniel Homier 06-09-2008 03:57 PM

Where do you run ssh-keygen, server or client.
 
Alan Chandler wrote:

Jochen Schulz wrote:

Nathaniel Homier:

I have 1 desktop computer (we will call it son) and it runs a ssh
server. When I visit my mothers house I would like to be able to access
(son) from my mothers computer (we will call it mom). I have setup the
ssh server on (son) to use key based authentication. Now the question
is, do I run ssh-keygen on (son) or on (mom)? What I have done is, on
(son) is to:
$ssh-keygen -t dsa
$cd .ssh
$cat id_dsa.pub >> ~/.ssh/authorized_keys

This only allows you to run 'ssh localhost' on son. You could use the
same key (id_dsa + id_dsa.pub) from any other computer and do the same
but I always generate a keypair per machine.

It doesn't matter where you generate the key. The important thing is to
put the contents of id_dsa.pub into the authorized_keys file on the
server.

To be clear, you also have to ensure the private part of the key (id_dsa)
is accessible by the client. This name of the file is defined in
/etc/ssh/ssh_config (and effectively defines ~/.ssh/id_dsa as the file).

You can also define a local name for a remote machine and non standard key
files - I regularly SSH into a server I am responsible for on the other
side of the world (melindasbackups.com), and you then put an entry in
~/.ssh/config

I access a host with

ssh mb

This is what is in my config file

Host mb
HostName melindasbackups.com
User melindas
IdentityFile ~/.ssh/melindas_ssh_access_key






Thank you for the good info, you have made it clear.

Nate


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"H.S." 06-09-2008 04:54 PM

Where do you run ssh-keygen, server or client.
 
Nathaniel Homier wrote:
I have 1 desktop computer (we will call it son) and it runs a ssh
server. When I visit my mothers house I would like to be able to access
(son) from my mothers computer (we will call it mom). I have setup the


Here is what I do (I use this method to access my univ lab machines from
home):


1. Generate a key pair on mom (rsa is the newer algo)
$> ssh-keygen -t rsa

2. Copy the public key to the machine you want to log in to
$> ssh-copy-id -i ~/.ssh/id_rsa.pub username@son

3. Then try logging in from mom machine to son machine and verify it works.

4. Note that in the above steps, mom and son actually machine names
based on their domains. Using Alan's method you can create entries in
~/.ssh/config file to give nicknames to these machine.


->HS



ssh server on (son) to use key based authentication. Now the question
is, do I run ssh-keygen on (son) or on (mom)? What I have done is, on
(son) is to:

$ssh-keygen -t dsa
$cd .ssh
$cat id_dsa.pub >> ~/.ssh/authorized_keys

I assume I take my id_dsa.pub to (mom) and hook it up with the latest
Filezilla version and Putty? Or do I do the ssh-keygen on (mom) and add
the "id_dsa.pub" to (son)"~/.ssh/authorized_keys?

Son Etch
Mom Windows XP Pro

Nate





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Nathaniel Homier 06-09-2008 09:20 PM

Where do you run ssh-keygen, server or client.
 
H.S. wrote:

Nathaniel Homier wrote:
I have 1 desktop computer (we will call it son) and it runs a ssh
server. When I visit my mothers house I would like to be able to
access (son) from my mothers computer (we will call it mom). I have
setup the


Here is what I do (I use this method to access my univ lab machines from
home):


1. Generate a key pair on mom (rsa is the newer algo)
$> ssh-keygen -t rsa

2. Copy the public key to the machine you want to log in to
$> ssh-copy-id -i ~/.ssh/id_rsa.pub username@son

3. Then try logging in from mom machine to son machine and verify it works.

4. Note that in the above steps, mom and son actually machine names
based on their domains. Using Alan's method you can create entries in
~/.ssh/config file to give nicknames to these machine.


->HS



ssh server on (son) to use key based authentication. Now the question
is, do I run ssh-keygen on (son) or on (mom)? What I have done is, on
(son) is to:

$ssh-keygen -t dsa
$cd .ssh
$cat id_dsa.pub >> ~/.ssh/authorized_keys

I assume I take my id_dsa.pub to (mom) and hook it up with the latest
Filezilla version and Putty? Or do I do the ssh-keygen on (mom) and
add the "id_dsa.pub" to (son)"~/.ssh/authorized_keys?

Son Etch
Mom Windows XP Pro

Nate





The nicknames are a good idea. I can pretend that I am on the Nostromo
when I am using mother. :)


Nate


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Nathaniel Homier 06-10-2008 07:36 AM

Where do you run ssh-keygen, server or client.
 
Sudev Barar wrote:

2008/6/10 Nathaniel Homier <nathaniel.homier@bresnan.net>:

The nicknames are a good idea. I can pretend that I am on the Nostromo when
I am using mother. :)


;-)

It would be good idea to re-jig configuration file at son to allow
only key based authentication. This way even ssh log in attacks would
be rebuffed, especially useful in multiuser scenario and chances of
weak password being used.
Flip side is that you can only log in from known machines from where
public key file has been transported through email or physical means
and added to authorized_keys file.

Yep, I got my key based auth working great now. I also took the time to
disable all other auth. Did "/etc/init.d/ssh restart" and checked again
and all is well. I carry my public and private key on my thumb drive
and the private key is protected with a passphrase.


Nate


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Nathaniel Homier 06-10-2008 08:00 AM

Where do you run ssh-keygen, server or client.
 
Sudev Barar wrote:

2008/6/10 Nathaniel Homier <nathaniel.homier@bresnan.net>:

Yep, I got my key based auth working great now. I also took the time to
disable all other auth. Did "/etc/init.d/ssh restart" and checked again and
all is well. I carry my public and private key on my thumb drive and the
private key is protected with a passphrase.


Whoops .. do not carry your private key around. No. Keep it somewhere
only you can access and rsik of loosing it is zilch - almost.

I have the private key backed up on a desktop computer. The pass phrase
was generated with a high quality pseudo-random number generator using
20 characters consisting of letters, numbers and symbols. The key
strength is 4096 and is rsa.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Tzafrir Cohen 06-10-2008 09:28 AM

Where do you run ssh-keygen, server or client.
 
On Tue, Jun 10, 2008 at 02:00:49AM -0600, Nathaniel Homier wrote:

> I have the private key backed up on a desktop computer. The pass phrase
> was generated with a high quality pseudo-random number generator using
> 20 characters consisting of letters, numbers and symbols. The key
> strength is 4096 and is rsa.

And how do you remember that passphrase? Is it written on a note hidden
behind your keyboard? If you forget that passphrase you cannot recover
your private key.

A passphrase is something you should be able to remember.

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Nathaniel Homier 06-10-2008 04:59 PM

Where do you run ssh-keygen, server or client.
 
Tzafrir Cohen wrote:

On Tue, Jun 10, 2008 at 02:00:49AM -0600, Nathaniel Homier wrote:

I have the private key backed up on a desktop computer. The pass phrase
was generated with a high quality pseudo-random number generator using
20 characters consisting of letters, numbers and symbols. The key
strength is 4096 and is rsa.


And how do you remember that passphrase? Is it written on a note hidden
behind your keyboard? If you forget that passphrase you cannot recover

your private key.

A passphrase is something you should be able to remember.

I create my random string then I print it out without ever saving to
disk and reboot, then I begin memorizing it. It usually takes a few
days at which point I will put the paper securely away in a closet. And
if my home is invaded I got other worries. My situation is made real
easy too because the 2 computers are only about 5 minutes car drive
apart or a 30 minute walk.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 09:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.