Segfault > IT > Notes > OpenSSH

Login using a certificate

Do this if you want to connect to a host using ssh without having each time to write the login password.

  • Install ssh on both source and target hosts with emerge -v openssh
  • Modify the ssh configuration located in /etc/ssh/ssh_config, especially if you don't want a root user to login.
  • Execute ssh-keygen -t dsa (leave the "-t dsa" out if you prefer the default algorithm - change the next parts with the generated files accordingly) on the source host. Don't enter any options - leave everything as is:


ssh-keygen
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
bb:8c:d4:e5:99:00:8h:3a:1a:a4:b7:52:60:72:4c:4f root@localhost

  • Now, if you have a look in your [home]/.ssh directory, you'll see two new files: id_dsa which is your private key (the file shouldn't allow any kind of access apart from the owner - change it with chmod 600 id_dsa if it's not like that) and id_dsa.pub, which is the public one (can be readable by anyone, but writable only by the owner).
  • Create on the target host the directory [home]/.ssh (do afterwards a chmod 700 .ssh, so that you're sure that only the owner can change stuff in there!) if it doesn't exist yet, and create as well a file called authorized_keys. Check that the file can be written only by the owner.
  • Copy on the source host the contents of the file id_dsa.pub and insert it on the target host into the file authorized_keys.


Think that anybody who is able to read the your private key (id_dsa) will be able to log into your target host!!!


X forwarding

This will make you able to start X applications on your remote machine and display their graphical output on your local machine!
All you have to do is edit the config file /etc/ssh/sshd_config and change...
X11Forwarding no
...to...
X11Forwarding yes
...and restart sshd with /etc/init.d/sshd restart (command will be different if not using Gentoo).
Now when connecting to the remote machine add the flag -X and afterwards start from the command line your graphical program (if -X does not work, try out the -Y flag and eventually play around with the xhost settings).

The full guide is here.


Disable openSSH data encryption

If you have 2 PCs connected through an internal & private LAN and run e.g. backups between them using rsync or just copy files using scp and the file transfers are too slow because of the CPU usage of openssh to en/decrypt the data in transit then you could take into consideration to disable the data encryption (if the data you're transferring isn't too secret).

If you opt for that you can enable the "none" cipher as follows:

  • on the target host which runs the "sshd" daemon edit its "sshd_config" and set the parameter "NoneEnabled yes" and restart the sshd daemon.
  • on the source host which connects to the target use...
    ssh -oNoneEnabled=yes -oNoneSwitch=yes <targethost>
    ...or...
    scp -oNoneEnabled=yes -oNoneSwitch=yes <yourfile(s)> <targethost>:<targetdir>
    ...or...
    rsync <someoptions> -e "ssh -oNoneEnabled=yes -oNoneSwitch=yes" <source> <target>
    The two parameters will disable data encryption for the data in transit (but the authentication and encryption for console-traffic will still be in place).
    Just remember not to do it when your data goes through the Internet or insecure parts of your LAN.


Notes

  • Set "ChallengeResponseAuthentication" to "no" in sshd_conf to avoid that users can login using ssh using the password-challenge. Only a known public certificate will allow the login.