Setting Up SSH Keys
Secure Shell (SSH) is used to make a secure connection to LC's production machines. By setting up SSH keys, you can access LC production machines using passwordless authentication. Use of SSH keys is only permitted between LC machines and not from outside the LC network or from desktop office machines.
By default, SSH will authenticate in secure password mode (i.e., when host1 does an SSH to host2 and is prompted for a userid and password, the information will be sent in encrypted form to host2). That way, passwords cannot be "sniffed" or sent "clear text" over the network.
One of the features of SSH is that it allows you to bypass this usual login method (userid/password) by setting up RSA/DSA authentication keys. DSA authentication is used by SSH version 2, but both are supported by OpenSSH.
The RSA/DSA key authentication methods allow you to optionally:
- Improve security even more by requiring a login passphrase, which can be much longer than a typical UNIX password.
- Relax the need to enter a userid/password. Obviously, there are known security risks with this convenience.
Creating RSA/DSA keys with OpenSSH is a one-time process that can be done as follows:
- Execute ssh-keygen -t type where type is either "rsa" or "dsa"..
- When prompted, enter a passphrase if you want improved security. If you want the convenience of being able to SSH into other LC OpenSSH machines without entering a userid/password, don't enter anything.
- After the command completes, cd to your .ssh file and copy the file that ends in .pub to a file named authorized_keys. This is your public key. For example: cp id_dsa.pub authorized_keys
- Because all OCF/SCF machines share the same home directory, you don't need to copy your public key file to each host.
- Make sure that your .ssh files are readable only by you.
More about SSH at LC
For a more in-depth treatment of SSH at LC, check out this Confluence page on the subject.