05/06/2012 3 Comments
In this post, I will explore how to perform a secure copy, the Linux scp command.
To this end, I will first detail how to setup password-less authentication with OpenSSH.
Setting up openssh on the guest and the host
What I want to achieve is to be able to ssh the remote host from my guest computer with the following
$ ssh username@hostname
Let’s consider that I have both the host and the guest running ubuntu. I have to install the openssh-client package on the guest with the following command:
$ sudo apt-get install openssh-client
For testing this how-to, I have set up a fresh virtualized Ubuntu install. When I attempt to connect to the host for the first time, I get the following error for example:
$ ssh email@example.com ssh: connect to host 10.211.55.10 port 22: Connection refused
I have to install openssh-server on the host with the following command:
$ sudo apt-get install openssh-server
Now, I can open an SSH connection between my guest and my host. As this is the first time I connect to the host, I have to accept that the host be added to the list of known hosts recognized by opens. The list is available in
~ $ ssh firstname.lastname@example.org The authenticity of host '10.211.55.10 (10.211.55.10)' can't be established. RSA key fingerprint is 9c:f5:b7:93:7a:eb:d8:fe:e5:38:a8:52:e8:06:9b:2d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.211.55.10' (RSA) to the list of known hosts. email@example.com's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ 156 packages can be updated. 28 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. username@host:~$
Now that openssh is configured on the host, we can set up password-less authentication.
Setting up password-less authentication with OpenSSH
Password-less authentication with OpenSSH works as follows. In order to secure the communication between the guest and the host without the need to provide a password, they will use the private key and public key of the client along with a username known on the server. The server will add the public key of the client to its lists of authorized keys.
As I authenticate as a particular user known on the host, I will set up the openssh configuration for the host to allow the user to ssh from the guest. I will generate a private/public key pair on the guest and add the public key to the list of authorized keys on the host.
~$ ssh username@hostname command will use the private key available in the
~/.ssh/id_rsafile of the user executing the command on the guest computer. If I wanted to use any other key file, I could use the -i pathToKeyFile parameter and specify another key file. For example:
$ ssh -i pathToMyFile username@hostname
Now that I know what I want to achieve, let’s configure both the guest and the host.
With the default key file
The first step is to generate a private and a public key on the guest computer. I will issue the following command to generate an RSA key. I could use -t dsa to generate a DSA private key.
ssh-keygen -t rsa
The command will yield the following output. It is important not to type in a passphrase and to simply hit enter twice.
Generating public/private rsa key pair. Enter file in which to save the key (/home/stephan/.ssh/id_rsa): Created directory '/home/stephan/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/stephan/.ssh/id_rsa. Your public key has been saved in /home/stephan/.ssh/id_rsa.pub. The key fingerprint is: 24:c9:61:0f:c5:f3:69:24:92:21:2a:bf:6e:64:0b:17 stephan@stephan-Parallels-Virtual-Platform The key's randomart image is: +--[ RSA 2048]----+ | . ==. | | . +o=+ . | |. . +.o= . | | oE o + | | .. S. | |. +. | | =.. | | .o | | .. | +-----------------+
Now, I have two files in the
~/.sshdirectory of my guest computer: id_rsa and id_rsa.pub
I will now copy it to my host server with the OpenSSH scp command:
$ scp ~/.ssh/id_rsa.pub username@hostname:/home/username/.ssh/myguest_id_rsa.pub
On the host, I will now add the contents of the key to the list of authorized keys:
$ cat myguest_id_rsa.pub >> ~/.ssh/authorized_keys
The above command will append the contents of the myguest_id_rsa.pub file to the file authorized_keys. If the file does not exist, the command creates it.
Let’s now remove the no longer necessary file
$ rm myguest_id_rsa.pub
For better security, let’s set the proper rights on the authorized_keys file. 600 means that the owner only can read and write.
$ chmod 600 authorized_keys
Now, when I open an SSH connection with the given username from the guest computer (logged in as the user whose key is authorized on the host) to the host computer, I no longer have to provide a password. Instead of:
~/$ ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Sun Jun 3 16:44:22 2012 from stephans-macbook-pro.local
I now have
~/.ssh $ ssh firstname.lastname@example.org Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Sun Jun 3 17:26:52 2012 from stephans-macbook-pro.local stephan@stephan-Parallels-Virtual-Platform:~$
With any key file
Let’s generate a key file outside of the ~/.ssh directory.
~/temp $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/stephan/.ssh/id_rsa): ./standalone_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./standalone_id_rsa. Your public key has been saved in ./standalone_id_rsa.pub. The key fingerprint is: d4:48:5d:30:10:80:f6:2d:75:1d:49:51:47:9f:5b:eb stephan@stephan-Parallels-Virtual-Platform The key's randomart image is: +--[ RSA 2048]----+ | ...++o===..o| | o ..oo.o .o| | . . oo.. .o| | o.. +| | .S o | | . | | E | | | | | +-----------------+
I generated the file in the folder I was in with ./standalone_id_rsa.
Let’s now copy the file to the host:
~$ scp ./standalone_id_rsa.pub username@hostname:/home/username/.ssh/myguest_id_rsa.pub
On the host, let’s add the public key to the list of authorized_keys:
~$ cat myguest_id_rsa.pub >> authorized_keys
Let’s remove the no longer necessary key file:
~$ rm myguest_id_rsa.pub
I can now connect with the provided file:
~/temp $ ssh -i ./standalone_id_rsa email@example.com Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Sun Jun 3 17:52:36 2012 from stephans-macbook-pro.local stephan@stephan-Parallels-Virtual-Platform:~$
If I want to In this case, we must make sure that only the owner of the file has the rights to access the file. To achieve that, we will set the appropriate rights with chmod.
$ chmod 600 pathToMyKeyFile