LINUX-SEC: generacion de llaves ssh

Método 1: generando y copiando las llaves públicas.

El server de origen emite una llave que es agregada en la lista del server destino.
De esa forma el server origen puede conectarse al server destino sin tener que entregar la pass.

generacion de llave publica

[soporte@localhost ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/soporte/.ssh/id_dsa): 
Created directory '/home/soporte/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/soporte/.ssh/id_dsa.
Your public key has been saved in /home/soporte/.ssh/id_dsa.pub.
The key fingerprint is:
92:c4:18:57:cb:ba:20:f9:8a:02:78:1e:b3:ac:57:16 soporte@localhost.localdomain

llave publica generada
[soporte@localhost ~]$ cat /home/soporte/.ssh/id_dsa.pub 
ssh-dss AAAAB3NzaC1kc3MAAACBAIg2/0ujaPvXkqrQLgbalK/9k16CnVy71cs2NWUYBC4jlf0YpOxOaHak7KdHyXKLFBxjPX1HPjCZHn41LU+cPreL5FN18QkTfdSiZX/9b9Uqe1LQF7qKIBS6SzJf5n7/2fmBfbaUCyHGKJRbK9N97i0LzsJxoN2Afx25s61OSjPZAAAAFQClcRMKcwI6+dVVvdm8Ss4HISJvIwAAAIBVVBbRa4jnhJH1smscvUztEiOygkpa0cm2/TJhstqPiKI05kEcDHXX+6N99xWbGdV9b4GfcWuem5EbjvvUquzipCzu2YCJpByUGITW6thGKMC3aLXS/xbovM80jvVpCo+4h8oOXzZf24Od1zZMw9gi4WweS+qb2Ov6PAufhYFI8wAAAIABHHheSdWQmvFClqOgoGi1ysl+ilLXLgvwZ+O+xUxgR/hPgsEDuou2pAhkgrAYYf5Vv7NDEoR/L4PPliAP1TBMj7eFXMlbwuY1RZZyoWzxyY1FO2zq2UtyDikNORI06B3ZbUR2egnGkC6mIAGJpRaRp8gnikZW+UtkilwiSEYyNA== soporte@localhost.localdomain
[soporte@localhost ~]$ 

copiar la llave publica al server destino.
#scp /home/soporte/.ssh/id_dsa.pub user@ip:/home/user/

agregar la llave ssh en el server destino
# cat /home/user/id_dsa.pub >> /home/user/.ssh/authorized_keys

para que la autentificacion solo por llaves sea bidireccional, hay qye repetir el paso en forma visceversa.


añadir seguridad al archivo listado de llaves.
en el server destino, cambiar el permiso del archivo
# chmod 0400 /home/user/.ssh/authorized_keys

Método 2: usando utilitario ssh-copy-id

en el server de origen se genera la llave pública:


wiki@localhost:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/wiki/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wiki/.ssh/id_dsa.
Your public key has been saved in /home/wiki/.ssh/id_dsa.pub.
The key fingerprint is:
ca:b1:c3:69:de:03:8c:d8:03:fb:fa:29:b4:18:e2:58 wiki@antofagasta
wiki@localhost:~$

se copia la llave al server destino:


wiki@localhost:~$ ssh-copy-id -i /home/wiki/.ssh/id_rsa.pub backup@remotehost
26
backup@remotehost's password: 
Now try logging into the machine, with "ssh 'backup@remotehost'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

wiki@localhost:~$