Linux Notes: Configuring ssh2 for sftp, scp, rsync, etc.

  1. The information presented here is intended for educational use by qualified computer technologists.
  2. The information presented here is provided free of charge, as-is, with no warranty of any kind.
Edit: 2023-05-02 (fixed some typos)

SSH and SSH2

Modes

  1. In default out-of-the-box mode, these technologies encrypt your ssh-based connection to conceal everything including the connect password. Most interactive users using ssh client will not need to go beyond this mode. BTW, I doubt you will ever find telnet or ftp installed in modern Linux systems because passwords are sent unencrypted. However, Installing telnet and ftp clients is child's play. Installing their server counterparts (telnetd and ftpd) is easy but getting them to work properly requires changes to the software firewall via "firewall-cmd" and SELinux (and you are insane if you ever disable these two security modules)
     
  2. You can go one step further and deposit YOUR public key at a remote location so you will not need a password (the private-public key replaces the password associated with the account in the remote OS). This is a prerequisite for doing autonomous non-interactive (batch) transfers from programs like sftp. Initially the far-end administrator will provide you with a 24-hour temporary account and password which will only be used by you to setup the sftp account.
     
  3. If you like, you can encode a pass-phrase in your private key (this will foil an evil system admin on your client platform) but this is not allowed when setting up Secure Shell for use with autonomous non-interactive (batch) transfers.

Related Utilities

CentOS-7.5 (and higher)

# =============================================================================
# title  : ssh-help.txt
# author : Neil Rieck
# created: 2019-09-23
# edit   : 2019-09-23
# target : CentOS-7.5 to CentOS-7.5
# purpose:
# 1) Shell scripts containing a list of rsync, sftp and scp commands, when run
#    from cron, must never be presented with a password prompt.
# 2) This file describes steps to allow user-A on system-A to connect as
#    user-B on system-B without a password (authentication is now done by a
#    public-private key pair)
# 3) CAVEAT: you may need to modify "/etc/ssh/ssh_config" of the local client machine
#    as well as "/etc/ssh/sshd_config" of the remote server machine
# a) /etc/ssh/ssh_config
#    Uncomment these lines:
#       IdentityFile ~/.ssh/identity	# recommended for ssh2
#       IdentityFile ~/.ssh/id_rsa	# recommended for ssh2
# b) /etc/ssh/sshd_config
#    Uncomment these lines:
#       PubkeyAuthentication yes	# required
#       PermitRootLogin yes		# optional
#    Caveat: remember to restart sshd after changes here
# =============================================================================
#
#	STEP-01 (optional; only do once)
#
# 1) this next command will create two files:
#	.ssh2/id_rsa
#	.ssh2/id_rsa.pub
#
ssh-keygen
#
#	STEP-02 (recommended)
#
# 1) create a specific public-private key pair for use by root when 
#    connecting from kawc4n to kawc4m. Use one of these filename formats:
#	username_source_destination
#	username_on_source
# 2) In 2019 you might find DSA disabled so just use RSA where possible
# 3) when prompted, do not enter a passphrase
#
ssh-keygen -t rsa -b 1024 -f ~/.ssh/root_on_kawc4n
#
#       STEP-03 (configure client side)
#
cd .ssh						# drop down one level
cat id_rsa         >> identity			# copy private key into identity (a one-line payload)
cat root_on_kawc4n >> identity			# copy private key into identity
#
#	STEP-04 (copy public key(s) but do not use ssh-copy-id)
#
# 1) copy public key(s) to the remote site
#
ls -la
   drwx------.  2 root root  129 Sep 23 16:38 .
   dr-xr-x---. 19 root root 4096 Sep 23 16:38 ..
   -rw-------.  1 root root 1679 Sep 23 16:09 identity
   -rw-------.  1 root root 1679 Sep 23 14:00 id_rsa
   -rw-r--r--.  1 root root  393 Sep 23 14:00 id_rsa.pub
   -rw-r--r--.  1 root root  195 Sep 23 12:54 known_hosts
   -rw-------.  1 root root 1679 Sep 23 16:09 root_on_kawc4n
   -rw-------.  1 root root  393 Sep 23 12:38 root_on_kawc4n.pub
sftp [email protected]			# connect via sftp
put root_on_kawc4n.pub				# recommended push
put id_rsa.pub					# optional push
exit						# log out (drop back to kawc4n)
cd ..						# navigate back up one level
#
#	STEP-05 (config the remote end)
#
ssh [email protected]			# connect via ssh to server
ls -la *.pub					# view public key files
cat root_on_kawc4n.pub >> .ssh/authorized_keys	# copy public into here
cat id_rsa.pub         >> .ssh/authorized_keys	# copy public into here
rm *.pub                                        # delete public keys
exit						# log out (drop back to client)
#
#	STEP-6 (final test)
#
ssh [email protected]			# you should not see a password prompt
#
#	STEP-7 (debug; if something went wrong)
#
ssh [email protected] -v			# -v -vv -vvv for more debugging messages
#

Links


Back to Home
Neil Rieck
Waterloo, Ontario, Canada.