We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
4 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Openssh : keys generated on ssh server or ssh client
Posted on 2011-03-08
Q1 : basic question:
I have a Windows 2003 running Openssh server & a Linux box (ssh client).
The Linux box is the one that initiate sftp/ssh/scp connection to the Windows
box. I would like to use key authentication, so are the private+public keys
generated (ie ssh-key-gen) on Windows 2003 or on the Linux box?
Q2:
If the keys are generated on the Windows 2003 Openssh (Ver 3.8p1-1), can
someone provide the steps to generate the keys & how should the key be
added/processed on the Linux box to enable the Linux box to ssh into the
Windows 2003 box using the keys (ie no password needed)
Q3:
If the keys are generated on the Linux box (RHES 4.5), what's the command
to generate the keys & how should the keys be added/installed on the
Win 2003 box so that the Linux (ssh client) can ssh into the Windows box
without password (ie keys authentication
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
2
2
8 Comments
Active today
I got a feeling that the ssh keys should be generated on the ssh client
(ie the Linux box in my case) & the public key is then sent to the Win2003
Openssh server.
suppose I have a login id on the Openssh Win2003 server, is
the following steps correct to install the public key into the Openssh
Win2003 server?
$ mkdir -p ~/.ssh If it doesn’t already exist
$ chmod 700 ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
$ cat ~/.ssh/id_rsa.pub | ssh remote_loginid@sshserver_h
> I got a feeling that the ssh keys should be generated on the ssh client
(ie the Linux box in my case) & the public key is then sent to the Win2003
Openssh server.
Yes.
> is the following steps correct to install the public key into the Openssh
Win2003 server?
No. Read here http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/
Scroll down to 'To enable public key authentication for users other than Administrator:'.
Regards,
Srty
(ie the Linux box in my case) & the public key is then sent to the Win2003
Openssh server.
Yes.
> is the following steps correct to install the public key into the Openssh
Win2003 server?
No. Read here http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/
Scroll down to 'To enable public key authentication for users other than Administrator:'.
Regards,
Srty
Active today
Technically it doesn't matter where you generate the key (best is on a machine with a good random numbers generator), it can even be a 3rd system not used in the communication between client and server.
Then you keep the private key for your self and have the public key installed on every system where you need it.
But...
You must be able to totally trust or control the system where you generate a key. (if you need it you can have multiple private/public key pairs for different purposes.., the key to be used can be specified by default it is id_dsa/id_rsa ...)
If you cannot trust those systems then don't generate a key there. Also keep in mind that the file storage that is temporarily used isn't wiped after use if you just remove the files.
Then you keep the private key for your self and have the public key installed on every system where you need it.
But...
You must be able to totally trust or control the system where you generate a key. (if you need it you can have multiple private/public key pairs for different purposes.., the key to be used can be specified by default it is id_dsa/id_rsa ...)
If you cannot trust those systems then don't generate a key there. Also keep in mind that the file storage that is temporarily used isn't wiped after use if you just remove the files.
Active today
Thanks chaps.
2 more clarifications:
a) if my Linux ssh client has multiple (8 to be precise) Unix accounts that need to ssh into
the Win2003 Openssh server (all 8 use a common login id on Win2003 to ssh/scp), do
I need to generate 8 pairs of keys using each of the 8 Unix accounts or I can just use
root on my Linux box to generate 1 pair & then distribute the keys to the $HOME/.ssh
directories of each of the 8 Unix accounts & to $HOME/.ssh of the Win2003 id ?
b)when doing ssh-keygen on Linux, should I use dsa or rsa? Rather which is more
secure of the two?
Active today
For question (b) above, which of the two ( rsa & dsa ) are supported by OpenSsh
in Windows 2003?
Active today
a) yes, the certificates are assumed to be personal.
You can off-course distribute the same private key to all people, but if you need to revoke ONE, you need to issue all others a new key...
and you need to add all public keys to the ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 files.
b) dsa is a more recent version and may be assumed more future proof.
At lease ensure that everything is SSH V2... (dont mix ssh1 rsa keys with ssh2... dsa slightly preferred, rsa1 definitely forbidden.).
I am not sure what you mean by openssh in windows (most probably the cygwin one, and yes they should be supported).
Also configure the sshv1 to be forbidden.
You can off-course distribute the same private key to all people, but if you need to revoke ONE, you need to issue all others a new key...
and you need to add all public keys to the ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 files.
b) dsa is a more recent version and may be assumed more future proof.
At lease ensure that everything is SSH V2... (dont mix ssh1 rsa keys with ssh2... dsa slightly preferred, rsa1 definitely forbidden.).
I am not sure what you mean by openssh in windows (most probably the cygwin one, and yes they should be supported).
Also configure the sshv1 to be forbidden.
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I promised to write further about my project, and here I am. First, I needed to setup the Primary Server. You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Why Shell Scripting?
Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to navigate the file tree with the shell.
Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3. In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month4 days, left to enroll
691 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.