setup ssh keys

To allow access across Unix hosts without entering a password, setup SSH with public keys for authentication.

Being able to access the host without a password is essential for infx remote administration of a host.

key pair

You first generate a key pair, which has a private part and a public part. You install the public key on each host you need remote access to.

Then, when you login, SSH does not prompt you for a password.

host key

The first time you connect using SSH, it generates a key for that host. Every time you connect to the host, this key will be used to verify it is the correct host. This prevents “man-in-the-middle” attacks, and other methods that try to impersonate a host.

Once the host is known, and the key has been sent, you can access that server using SSH without a password.

This host key will need to be regenerated when the host name or IP address details change.

security

To maintain security you must keep the private key, private. SSH will not use the file unless the permissions are 600, owner only can read or write.

If the private key file is compromised, you need to generate a new pair and re-send the public key.

manage keys

infx provides services that help you manage the ssh keys.

command	purpose
infx keygen	Generate the public and private keys
infx keysend	Send the public key to a remote host

key generation

This command will generate a private and public key pair:

$ infx keygen
Generating public/private rsa key pair.
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
f9:5c:41:8a:dc:de:82:f1:d8:fb:c6:17:5f:fe:6d:d6 informix@bobii
The key's randomart image is:
+--[ RSA 2048]----+
|      .  |
|    . o o   |
|    + o .  |
|     O . .  |
|    S = o  |
|     o + . .|
|     +.  +o|
|      .o . E|
|      ... o+|
+-----------------+

$ infx keygen

Generating public/private rsa key pair.

Your identification has been saved in id_rsa.

Your public key has been saved in id_rsa.pub.

The key fingerprint is:

f9:5c:41:8a:dc:de:82:f1:d8:fb:c6:17:5f:fe:6d:d6 informix@bobii

The key's randomart image is:

+--[ RSA 2048]----+

| . |

| . o o |

| + o . |

| O . . |

| S = o |

| o + . .|

| +. +o|

| .o . E|

| ... o+|

+-----------------+

infx generates the key using rsa, and stores the pair in the files id_rsa and id_rsa.pub.

key sending

You send the public key to each remote host you want to manage.

$ infx keysend dest=mamvps03
informix@mamvps03's password:
completed: keysend

$ infx keysend dest=mamvps03

informix@mamvps03's password:

completed: keysend

When you initially send the key, you have to specify the password. Future access to this host will not require a password.

change ssh default port

change ssh port

You can change the port ssh runs on from 22.

Example, change the port to 62999, add this to /etc/ssh/sshd_config.

Port 62999

1	Port 62999

Then, restart sshd.

root access required

$ /etc/init.d/sshd restart
Stopping sshd:    [ OK  ]
Starting sshd:   [  OK  ]

$ /etc/init.d/sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

Repeat the change on server2.

set default port for host

Next, set up your ssh config, to default server2 to the new port number. This is so you don’t have to specify it on the command line.

$ touch $HOME/.ssh/config
$ chmod 600 $HOME/.ssh/config

1 2	$ touch $HOME/.ssh/config $ chmod 600 $HOME/.ssh/config

Add these lines to $HOME/.ssh/config, on server1.

Host server2
Port 62999

1 2	Host server2 Port 62999

Now all ssh commands, including rsync and scp, will default to the correct port number.

Check the ssh documentation for other options you can add here, such as compression for slow links.

informix user should be used when setting up the defaults

how to

setup ssh keys

key pair

host key

security

manage keys

key generation

key sending

change ssh default port

change ssh port

set default port for host