Friday, December 1, 2017

ssh

Posted on 
  • Helped Aaron with ssh

Adding ssh actions to CDE

Secure SHell or ssh is a more modern and secure way to access a remote system. You can add ssh actions to CDE by doing the following:
Add the following to ~/.dt/types:

ACTION Ssh
{
  LABEL           Secure shell
  ICON            Dtterm
  ARG_COUNT       0
  TYPE            COMMAND
  WINDOW_TYPE     NO_STDIO
  EXEC_STRING     ksh -c 'export _title="%"Starbase?"%";   \
    /usr/dt/bin/dtterm -name $_title                              \
    -title "Opening hailing frequencies to starbase $_title..."   \
    -e ksh -c "ssh $_title; sleep 5;";'
  DESCRIPTION     The Secure shell action prompts the user for    \
                  the name of a system, opens a dtterm terminal   \
                  emulator window, and then performs an ssh to    \
                  that system.
}

ACTION SshUser
{
  LABEL           Secure shell
  ICON            Dtterm
  ARG_COUNT       0
  TYPE            COMMAND
  WINDOW_TYPE     NO_STDIO
  EXEC_STRING     ksh -c 'export _title="%"Starbase?"%";          \
    export _user="%"Username"%";                                  \
    /usr/dt/bin/dtterm -name $_title                              \
    -title                                                        \
      "Opening hailing frequencies to starbase $_user@$_title..." \
    -e ksh -c "ssh $_user@$_title; sleep 5;";'
  DESCRIPTION     The Secure shell action prompts the user for    \
                  the name of a system and a username and opens   \
                  a dtterm terminal emulator window, and then     \
                  performs an ssh to that system.
}


Then invoke the actions with:

$ dtaction Ssh
$ dtaction SshUser

or better yet put it into your Dtwm menus like:

    Menu Terminals
    {
      "Terminals"           f.title
      "Terminal"            f.action Dtterm
      "Remote Terminal"     f.action Ssh
      "Remote Terminal (user)"      f.action SshUser
      "X Terminal"          f.action Xterm
    }

Configuring ssh for passwordless but secure public key authentication

In order to do public key authentication you need to first generate a public key. You do this for ssh with ssh-keygen:

$ ssh-keygen -t rsa


Note you can also do -t dsa. There are RSA keys and DSA keys. I forget what the prompts are, something about a passphrase, etc. Enter no passphrase.

This should create a directory ~/.ssh with files in it. For example:

$ ssh-keygen -t rsa
Enter file in which to save the key(/home/p6258c/.ssh/id_rsa):
Generating public/private rsa key pair.
Enter passphrase(empty for no passphrase): 
$ ls -l ~/.ssh
total 32
-rw-------    1 p6258c   ccusers       226 Jun 15 13:28 authorized_keys
-rw-------    1 p6258c   ccusers       887 Jun 15 13:27 id_rsa
-rw-rw-r--    1 p6258c   ccusers       226 Jun 15 13:27 id_rsa.pub
-rw-r--r--    1 p6258c   ccusers      4082 Jul 31 15:05 known_hosts
$ ls -ld .
drwxr-xr-x   43 p6258c   ccusers      2048 Aug  3 10:28 ./
$

Then the task is to get the ~/.ssh/id_rsa.pub key added to the authorized_keys file (creating it if you need to). Here in GD that is easy. Simply:

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Now, since all GD machines in the RAN subnet share your same home directory (automounted from the same common location) viola! You now have passwordless ssh access using public key authentication through the RAN (note this does not cross from RAN -> GD network due to firewall issues). Whenever you ssh to a new machine it will bother you about adding it to the known_hosts file but after that it should not prompt again.

Also note that if this were a different situation you'd have to get the contents of ~/.ssh/id_rsa.pub over to the remote machine. For example, I could generate my keys as described above then email the ~/.ssh/id_rsa.pub from here to my home Linux system, append it to my ~/.ssh/authorized_keys on my home Linux system then I could ssh from here to home. Normally I configure my house to only allow public key authenticated logins from the outside world. I can't do it here from GD because the firewall prohibits it (which is odd)!

Final note: Sometimes, if ssh is configured to by strict about permissions, you need to change your home directory to be 755 as shown above. Normally I'm a sharing kinda guy so I have my home directory set to 775 but with ssh strict permissions that'll cause passwordless ssh to not work anymore.

No comments:

Post a Comment

Posted on  November 23, 2005 Continued to help several users with connecting to the new Controller Clearquest Database for Vinh...