http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&feed=atom&action=historySsh, passwordless authentication - Revision history2024-03-28T16:58:14ZRevision history for this page on the wikiMediaWiki 1.18.0http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=11611&oldid=prevJimbo: SSH: Passwordless authentication moved to Ssh, passwordless authentication2010-01-12T23:45:11Z<p><a href="/index.php/SSH:_Passwordless_authentication" class="mw-redirect" title="SSH: Passwordless authentication">SSH: Passwordless authentication</a> moved to <a href="/index.php/Ssh,_passwordless_authentication" title="Ssh, passwordless authentication">Ssh, passwordless authentication</a></p>
<table class='diff diff-contentalign-left'>
<tr valign='top'>
<td colspan='1' style="background-color: white; color:black;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black;">Revision as of 23:45, 12 January 2010</td>
</tr></table>Jimbohttp://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=11368&oldid=prevJimbo: Reverted edits by 75.21.164.212 (Talk); changed back to last version by Jimbo2009-07-02T17:58:22Z<p>Reverted edits by <a href="/index.php/Special:Contributions/75.21.164.212" title="Special:Contributions/75.21.164.212">75.21.164.212</a> (<a href="/index.php?title=User_talk:75.21.164.212&action=edit&redlink=1" class="new" title="User talk:75.21.164.212 (page does not exist)">Talk</a>); changed back to last version by <a href="/index.php/User:Jimbo" title="User:Jimbo">Jimbo</a></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 17:58, 2 July 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">On client </del>machine</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Sometimes, you need to be able to SSH into a remote </ins>machine <ins class="diffchange diffchange-inline">for scripted maintenance purposes and not get challenged with a password. </ins> <ins class="diffchange diffchange-inline">To do this, you need to set up key-based authentication between the user account you'll be using on your local computer, and the user account you'll be logging into on the remote computer</ins>.  <ins class="diffchange diffchange-inline">Here's a quick and dirty how</ins>-<ins class="diffchange diffchange-inline">to.</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  <del class="diffchange diffchange-inline">cd ~/</del>.<del class="diffchange diffchange-inline">ssh</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  <del class="diffchange diffchange-inline">ssh</del>-<del class="diffchange diffchange-inline">keygen -t rsa</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Transfer <tt>id_rsa.pub<</del>/<del class="diffchange diffchange-inline">tt> </del>to <del class="diffchange diffchange-inline"><tt>server</del>:<del class="diffchange diffchange-inline">~/.ssh</tt></del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Creating a public</ins>/<ins class="diffchange diffchange-inline">private keyset with [[ssh-keygen]] on the computer and under the user account you want </ins>to <ins class="diffchange diffchange-inline">log in FROM</ins>:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">On server machine</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ph34r# '''mkdir ~/.ssh'''</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  cd ~/.ssh</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  <ins class="diffchange diffchange-inline">ph34r# '''chmod 700 ~/.ssh'''</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  cat id_rsa.pub >> authorized_keys</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ph34r# '''</ins>cd ~/.ssh<ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  <del class="diffchange diffchange-inline">rm id_rsa</del>.<del class="diffchange diffchange-inline">pub</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  <ins class="diffchange diffchange-inline">ph34r# '''ssh-keygen -t rsa'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Generating public/private rsa key pair.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Enter file in which to save the key ("your_local_home"/.ssh/id_rsa):</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Enter passphrase (empty for no passphrase):</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Enter same passphrase again: </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Your identification has been saved in id_rsa.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Your public key has been saved in id_rsa.pub.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> The key fingerprint is:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> 17:5a:e7:77:ad:2c:0b:8e:f3:97:f8:20:53:79:69:55 root@ph34r</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Getting the public half of the key to the REMOTE computer and user account you want to log in TO:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ph34r# '''scp ~/.ssh/id_rsa.pub jimbo@l0ath1ng.tehinterweb.net:/home/jimbo/id_rsa.ph34r.pub'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ph34r# '''ssh jimbo@l0ath1ng.tehinterweb.net'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> Password:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> % mkdir .ssh</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> % chmod 700 .ssh</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> % </ins>cat id_rsa<ins class="diffchange diffchange-inline">.ph34r</ins>.pub >> <ins class="diffchange diffchange-inline">.ssh/</ins>authorized_keys</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  <ins class="diffchange diffchange-inline">% chmod 644 </ins>.<ins class="diffchange diffchange-inline">ssh/authorized_keys</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Checking to make sure it worked:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> % '''exit'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> ph34r# '''ssh jimbo@l0ath1ng.tehinterweb.net'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> %</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Bingo.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">From here on out, whenever logged in as root on the computer ph34r, I will be able to SSH into my account jimbo on the machine l0ath1ng without being presented with a password challenge (assuming I did NOT enter a passphrase when I generated the RSA key in the first step).  Note that I will not be able to use this key to bypass the password when logging into jimbo@l0ath1ng from any account OTHER than root@ph34r - if I were try it from jimbo@ph34r, I would still need a password.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">If I wanted to log in from or to any other user accounts, the steps would be the same, just do them as the appropriate user.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">One way to use passwordless authentication in a safe way, is to replace the default shell (sh, csh, bash...) by a more restricted shell. The scponly is such a shell. Scponly only allows a very restricted set of commands. It can also do a chroot, thus greatly limiting the access to the system. Scponly is mainly used to let people access a remote account with commands like "scp" or "rsync" over "ssh"to do secure remote backups.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">----</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">You may also be interested in these articles at IBM's "developerworks" library:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[http://www-128.ibm.com/developerworks/linux/library/l-keyc.html Understanding RSA/DSA authentication, Part 1]<br></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[http://www-128.ibm.com/developerworks/library/l-keyc2/ OpenSSH key management, Part 2]<br></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[http://www-128.ibm.com/developerworks/linux/library/l-keyc3/ OpenSSH key management, Part 3]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">----</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[Category:Common Tasks]] [[Category:FreeBSD for Servers]][[Category:Configuring FreeBSD]]</ins></div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:11367:newid:11368 -->
</table>Jimbohttp://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=11367&oldid=prev75.21.164.212 at 17:28, 2 July 20092009-07-02T17:28:41Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 17:28, 2 July 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Sometimes, you need to be able to SSH into a remote </del>machine <del class="diffchange diffchange-inline">for scripted maintenance purposes and not get challenged with a password. </del> <del class="diffchange diffchange-inline">To do this, you need to set up key-based authentication between the user account you'll be using on your local computer, and the user account you'll be logging into on the remote computer</del>.  <del class="diffchange diffchange-inline">Here's a quick and dirty how</del>-<del class="diffchange diffchange-inline">to.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">On client </ins>machine</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  <ins class="diffchange diffchange-inline">cd ~/</ins>.<ins class="diffchange diffchange-inline">ssh</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  <ins class="diffchange diffchange-inline">ssh</ins>-<ins class="diffchange diffchange-inline">keygen -t rsa</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Creating a public</del>/<del class="diffchange diffchange-inline">private keyset with [[ssh-keygen]] on the computer and under the user account you want </del>to <del class="diffchange diffchange-inline">log in FROM</del>:</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Transfer <tt>id_rsa.pub<</ins>/<ins class="diffchange diffchange-inline">tt> </ins>to <ins class="diffchange diffchange-inline"><tt>server</ins>:<ins class="diffchange diffchange-inline">~/.ssh</tt></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ph34r# '''mkdir ~/.ssh'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">On server machine</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  <del class="diffchange diffchange-inline">ph34r# '''chmod 700 ~/.ssh'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  cd ~/.ssh</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ph34r# '''</del>cd ~/.ssh<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  cat id_rsa.pub >> authorized_keys</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  <del class="diffchange diffchange-inline">ph34r# '''ssh-keygen -t rsa'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  <ins class="diffchange diffchange-inline">rm id_rsa</ins>.<ins class="diffchange diffchange-inline">pub</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Generating public/private rsa key pair.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Enter file in which to save the key ("your_local_home"/.ssh/id_rsa):</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Enter passphrase (empty for no passphrase):</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Enter same passphrase again: </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Your identification has been saved in id_rsa.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Your public key has been saved in id_rsa.pub.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> The key fingerprint is:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> 17:5a:e7:77:ad:2c:0b:8e:f3:97:f8:20:53:79:69:55 root@ph34r</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Getting the public half of the key to the REMOTE computer and user account you want to log in TO:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ph34r# '''scp ~/.ssh/id_rsa.pub jimbo@l0ath1ng.tehinterweb.net:/home/jimbo/id_rsa.ph34r.pub'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ph34r# '''ssh jimbo@l0ath1ng.tehinterweb.net'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> Password:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> % mkdir .ssh</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> % chmod 700 .ssh</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> % </del>cat id_rsa<del class="diffchange diffchange-inline">.ph34r</del>.pub >> <del class="diffchange diffchange-inline">.ssh/</del>authorized_keys</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  <del class="diffchange diffchange-inline">% chmod 644 </del>.<del class="diffchange diffchange-inline">ssh/authorized_keys</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Checking to make sure it worked:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> % '''exit'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> ph34r# '''ssh jimbo@l0ath1ng.tehinterweb.net'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> %</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Bingo.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">From here on out, whenever logged in as root on the computer ph34r, I will be able to SSH into my account jimbo on the machine l0ath1ng without being presented with a password challenge (assuming I did NOT enter a passphrase when I generated the RSA key in the first step).  Note that I will not be able to use this key to bypass the password when logging into jimbo@l0ath1ng from any account OTHER than root@ph34r - if I were try it from jimbo@ph34r, I would still need a password.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">If I wanted to log in from or to any other user accounts, the steps would be the same, just do them as the appropriate user.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">One way to use passwordless authentication in a safe way, is to replace the default shell (sh, csh, bash...) by a more restricted shell. The scponly is such a shell. Scponly only allows a very restricted set of commands. It can also do a chroot, thus greatly limiting the access to the system. Scponly is mainly used to let people access a remote account with commands like "scp" or "rsync" over "ssh"to do secure remote backups.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">----</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">You may also be interested in these articles at IBM's "developerworks" library:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[http://www-128.ibm.com/developerworks/linux/library/l-keyc.html Understanding RSA/DSA authentication, Part 1]<br></del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[http://www-128.ibm.com/developerworks/library/l-keyc2/ OpenSSH key management, Part 2]<br></del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[http://www-128.ibm.com/developerworks/linux/library/l-keyc3/ OpenSSH key management, Part 3]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">----</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">[[Category:Common Tasks]] [[Category:FreeBSD for Servers]][[Category:Configuring FreeBSD]]</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:9405:newid:11367 -->
</table>75.21.164.212http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=9405&oldid=prevJimbo: Reverted edits by 61.47.7.195 (Talk); changed back to last version by Jimbo2007-11-15T07:07:24Z<p>Reverted edits by <a href="/index.php/Special:Contributions/61.47.7.195" title="Special:Contributions/61.47.7.195">61.47.7.195</a> (<a href="/index.php?title=User_talk:61.47.7.195&action=edit&redlink=1" class="new" title="User talk:61.47.7.195 (page does not exist)">Talk</a>); changed back to last version by <a href="/index.php/User:Jimbo" title="User:Jimbo">Jimbo</a></p>
<table class='diff diff-contentalign-left'>
<tr valign='top'>
<td colspan='1' style="background-color: white; color:black;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black;">Revision as of 07:07, 15 November 2007</td>
</tr></table>Jimbohttp://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=8034&oldid=prev83.135.20.151: deleted spam!2007-04-28T09:09:55Z<p>deleted spam!</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 09:09, 28 April 2007</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 17:</td>
<td colspan="2" class="diff-lineno">Line 17:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Getting the public half of the key to the REMOTE computer and user account you want to log in TO:</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Getting the public half of the key to the REMOTE computer and user account you want to log in TO:</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">you really should use cat and not just overwrite stuff.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  ph34r# '''scp ~/.ssh/id_rsa.pub jimbo@l0ath1ng.tehinterweb.net:/home/jimbo/id_rsa.ph34r.pub'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  ph34r# '''scp ~/.ssh/id_rsa.pub jimbo@l0ath1ng.tehinterweb.net:/home/jimbo/id_rsa.ph34r.pub'''</div></td></tr>
</table>83.135.20.151http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=7959&oldid=prev76.21.105.167 at 23:06, 20 March 20072007-03-20T23:06:45Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 23:06, 20 March 2007</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 17:</td>
<td colspan="2" class="diff-lineno">Line 17:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Getting the public half of the key to the REMOTE computer and user account you want to log in TO:</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Getting the public half of the key to the REMOTE computer and user account you want to log in TO:</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">you really should use cat and not just overwrite stuff.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  ph34r# '''scp ~/.ssh/id_rsa.pub jimbo@l0ath1ng.tehinterweb.net:/home/jimbo/id_rsa.ph34r.pub'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  ph34r# '''scp ~/.ssh/id_rsa.pub jimbo@l0ath1ng.tehinterweb.net:/home/jimbo/id_rsa.ph34r.pub'''</div></td></tr>
</table>76.21.105.167http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=7776&oldid=prev24.202.77.103: spelling2006-11-01T18:24:25Z<p>spelling</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 18:24, 1 November 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 40:</td>
<td colspan="2" class="diff-lineno">Line 40:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>One way to use passwordless authentication <del class="diffchange diffchange-inline">is </del>a safe way, is to replace the default shell (sh, csh, bash...) by a more restricted shell. The scponly is such a shell. Scponly only allows a very restricted set of commands. It can also do a chroot, thus greatly limiting the access to the system. Scponly is mainly used to let people access a remote account with commands like "scp" or "rsync" over "ssh"to do secure remote backups.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>One way to use passwordless authentication <ins class="diffchange diffchange-inline">in </ins>a safe way, is to replace the default shell (sh, csh, bash...) by a more restricted shell. The scponly is such a shell. Scponly only allows a very restricted set of commands. It can also do a chroot, thus greatly limiting the access to the system. Scponly is mainly used to let people access a remote account with commands like "scp" or "rsync" over "ssh"to do secure remote backups.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
</table>24.202.77.103http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=6865&oldid=prev85.28.87.227 at 14:33, 13 August 20062006-08-13T14:33:05Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 14:33, 13 August 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 39:</td>
<td colspan="2" class="diff-lineno">Line 39:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">One way to use passwordless authentication is a safe way, is to replace the default shell (sh, csh, bash...) by a more restricted shell. The scponly is such a shell. Scponly only allows a very restricted set of commands. It can also do a chroot, thus greatly limiting the access to the system. Scponly is mainly used to let people access a remote account with commands like "scp" or "rsync" over "ssh"to do secure remote backups.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:5157:newid:6865 -->
</table>85.28.87.227http://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=5157&oldid=prevJimbo at 16:14, 21 January 20062006-01-21T16:14:26Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:14, 21 January 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 40:</td>
<td colspan="2" class="diff-lineno">Line 40:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>'<del class="diffchange diffchange-inline">''There are great stories, on how to securely use passwordless ssh authentication using password protected private key.'''<br></del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">----</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">You may also be interested in these articles at IBM</ins>'<ins class="diffchange diffchange-inline">s "developerworks" library:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[http://www-128.ibm.com/developerworks/linux/library/l-keyc.html Understanding RSA/DSA authentication, Part 1]<br></div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[http://www-128.ibm.com/developerworks/linux/library/l-keyc.html Understanding RSA/DSA authentication, Part 1]<br></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[http://www-128.ibm.com/developerworks/library/l-keyc2/ OpenSSH key management, Part 2]<br></div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[http://www-128.ibm.com/developerworks/library/l-keyc2/ OpenSSH key management, Part 2]<br></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[http://www-128.ibm.com/developerworks/linux/library/l-keyc3/ OpenSSH key management, Part 3]<del class="diffchange diffchange-inline"><br></del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[http://www-128.ibm.com/developerworks/linux/library/l-keyc3/ OpenSSH key management, Part 3]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">----</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Common Tasks]] [[Category:FreeBSD for Servers]][[Category:Configuring FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Common Tasks]] [[Category:FreeBSD for Servers]][[Category:Configuring FreeBSD]]</div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:3645:newid:5157 -->
</table>Jimbohttp://freebsdwiki.net/index.php?title=Ssh,_passwordless_authentication&diff=3645&oldid=prev195.5.32.230 at 08:23, 21 January 20062006-01-21T08:23:04Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 08:23, 21 January 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 39:</td>
<td colspan="2" class="diff-lineno">Line 39:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>NOTE: it is highly HIGHLY recommended that you only set up passwordless authentication to extremely neutered accounts on the target machine; perhaps an account with absolutely no privileges at all beyond [[sudo]] permission (if necessary) to run a single script which the account in question DOES NOT have write permission on.  This limits the damage a potential rogue user who compromises the computer on the other end could cause.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">'''There are great stories, on how to securely use passwordless ssh authentication using password protected private key.'''<br></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[http://www-128.ibm.com/developerworks/linux/library/l-keyc.html Understanding RSA/DSA authentication, Part 1]<br></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[http://www-128.ibm.com/developerworks/library/l-keyc2/ OpenSSH key management, Part 2]<br></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[http://www-128.ibm.com/developerworks/linux/library/l-keyc3/ OpenSSH key management, Part 3]<br></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Common Tasks]] [[Category:FreeBSD for Servers]][[Category:Configuring FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Common Tasks]] [[Category:FreeBSD for Servers]][[Category:Configuring FreeBSD]]</div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:3642:newid:3645 -->
</table>195.5.32.230