Saturday, August 28, 2004


Hi Friends

Sorry could not post since looong but lives been all the more hectic since the last post and putting this port on a friday night will eyes full of sleep but i hope this helps .

I helped me a lot though.

SSH is a much more secure way of sending data over the network cause it encrypts the information as compared to telnet which sends it as plain text.

Through with all this theory just a thought how it could make your life easier .

Right from logging in to all servers without password to pushing updated conf files to all servers without manual intervention to using the rsync package to keep your servers in sync.

This component is generally called the OpenSSH's RSA/DSA key authentication system.

OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it's possible to establish secure connections without having to manually type in a password.

Now this is how you go on to do it :

%ssh nitin@remoteserver
mailto:nitin@remoteserver password:

This is generally the cumbersome process.

Here is the way to make it simple :

% ssh-keygen
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/nitin/.ssh/identity): (hit enter)
Enter passphrase (empty for no passphrase): (enter a passphrase)
Enter same passphrase again: (enter it again)
Your identification has been saved in /home/nitin/.ssh/identity.
Your public key has been saved in /home/nitin/.ssh/
The key fingerprint is:
a4:e7:f2:39:a7:eb:fd:f8:39:f1:f1:7b:fe:48:a1:09 nitin@localbox

Generally newer versions of keygen will ask you for the type of key you want to generate :

% ssh-keygen -t rsa1 (thats what i prefer / you can also use dsa)

Also note that ssh-keygen prompted us to enter a passphrase. When prompted, we entered a good passphrase (seven or more hard-to-predict characters). ssh-keygen then encrypted our private key (~/.ssh/identity) using this passphrase so that our private key will be useless to anyone who does not know it.

# ssh nitin@remoteserver
Enter passphrase for key '/home/nitin/.ssh/identity': (enter passphrase)

Last login: Thu Aug 28 20:28:47 from
Welcome to remoteserver!%

Now entering a password everytime is as cumbersome as entering a passphrase.

SO theres a work around to it :

A cool utility called ssh-agent

% ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XX4LkMJS/agent.26916;export SSH_AUTH_SOCK;
echo Agent pid 26917;

so to run it type

% eval `ssh-agent`

% ssh-add ~/.ssh/identity

Need passphrase for /home/nitin/.ssh/identity

Enter passphrase for /home/nitin/.ssh/identity (enter passphrase) :

ssh-agent is really cool, but its default configuration still leaves us with a few minor inconveniences. Let's take a look at them.
For one, with eval `ssh-agent` in ~/.bash_profile, a new copy of ssh-agent is launched for every login session; not only is this a tad bit wasteful, but it also means that you need to use ssh-add to add a private key to each new copy of ssh-agent. If you only open a single terminal or console on your system, this is no big deal, but most of us open quite a few terminals and need to type in our passphrase every single time we open a new console. Technically, there's no reason why we should need to do this since a single ssh-agent process really should suffice.
Another problem with the default ssh-agent setup is that it's not compatible with cron jobs. Since cron jobs are started by the cron process, they won't inherit the SSH_AUTH_SOCK variable from their environment, and thus won't know that a ssh-agent process is running or how to contact it. It turns out that this problem is also fixable.

The fix is something called as the ssh-keychain project.

I genereally do not use it waana try u can access it at :

My way of working around the issue is adding the below lines to my .profile file

eval `ssh-agent`
ssh-add ~/.ssh/identity

and a script to kill the ssh-agent session when i log out.

I guess will put the file updating and usage of rsync with this rsa/dsa ssh authentiication tomorrow.

Good Nite to all b4 i go off to sleep its 02:30 HRS IST

Suggestions are always welcome.



Post a Comment

<< Home