setup ssh keys
To allow access across Unix hosts without entering a password, setup SSH with public keys for authentication.
Being able to access the host without a password is essential for infx remote administration of a host.
key pair
You first generate a key pair, which has a private part and a public part. You install the public key on each host you need remote access to.
Then, when you login, SSH does not prompt you for a password.
host key
The first time you connect using SSH, it generates a key for that host. Every time you connect to the host, this key will be used to verify it is the correct host. This prevents “man-in-the-middle” attacks, and other methods that try to impersonate a host.
Once the host is known, and the key has been sent, you can access that server using SSH without a password.
security
To maintain security you must keep the private key, private. SSH will not use the file unless the permissions are 600, owner only can read or write.
If the private key file is compromised, you need to generate a new pair and re-send the public key.
manage keys
infx provides services that help you manage the ssh keys.
command | purpose |
---|---|
infx keygen | Generate the public and private keys |
infx keysend | Send the public key to a remote host |
key generation
This command will generate a private and public key pair:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
$ infx keygen Generating public/private rsa key pair. Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: f9:5c:41:8a:dc:de:82:f1:d8:fb:c6:17:5f:fe:6d:d6 informix@bobii The key's randomart image is: +--[ RSA 2048]----+ | . | | . o o | | + o . | | O . . | | S = o | | o + . .| | +. +o| | .o . E| | ... o+| +-----------------+ |
infx generates the key using rsa, and stores the pair in the files id_rsa and id_rsa.pub.
key sending
You send the public key to each remote host you want to manage.
1 2 3 |
$ infx keysend dest=mamvps03 informix@mamvps03's password: completed: keysend |
change ssh default port
change ssh port
You can change the port ssh runs on from 22.
Example, change the port to 62999, add this to /etc/ssh/sshd_config.
1 |
Port 62999 |
Then, restart sshd.
1 2 3 |
$ /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] |
Repeat the change on server2.
set default port for host
Next, set up your ssh config, to default server2 to the new port number. This is so you don’t have to specify it on the command line.
1 2 |
$ touch $HOME/.ssh/config $ chmod 600 $HOME/.ssh/config |
Add these lines to $HOME/.ssh/config, on server1.
1 2 |
Host server2 Port 62999 |
Now all ssh commands, including rsync and scp, will default to the correct port number.
Check the ssh documentation for other options you can add here, such as compression for slow links.