|
2010-01-20
, 17:49
|
|
Posts: 850 |
Thanked: 626 times |
Joined on Sep 2009
@ Vienna, Austria
|
#2
|
user@N900-> if [ ! -e authorized_keys ]; then touch authorized_keys; fi
user@N900-> cat ../id_rsa.pub >> authorized_keys
user@N900-> chmod 600 authorized_keys
The Following User Says Thank You to SubCore For This Useful Post: | ||
|
2010-01-20
, 20:12
|
Posts: 61 |
Thanked: 60 times |
Joined on Jul 2007
@ Erlangen
|
#3
|
very nice howto, thanks for the work!
just one suggestion
this:
isn't really necessary, the file should be created automatically when piping into it.
this should be enough (order reversed for chmod):
|
2010-01-20
, 20:12
|
Posts: 28 |
Thanked: 12 times |
Joined on Jan 2010
@ germany
|
#4
|
|
2010-01-21
, 00:32
|
|
Posts: 664 |
Thanked: 160 times |
Joined on Jul 2008
@ Australia
|
#5
|
|
2010-01-24
, 23:50
|
Posts: 61 |
Thanked: 60 times |
Joined on Jul 2007
@ Erlangen
|
#6
|
|
2010-02-04
, 08:47
|
Posts: 138 |
Thanked: 59 times |
Joined on Jun 2007
|
#7
|
Agent admitted failure to sign using the key.
|
2010-02-10
, 22:05
|
Posts: 125 |
Thanked: 108 times |
Joined on Feb 2010
|
#8
|
|
2010-02-10
, 22:13
|
Posts: 67 |
Thanked: 28 times |
Joined on Oct 2009
@ Switzerland
|
#9
|
|
2010-02-21
, 17:34
|
Posts: 9 |
Thanked: 8 times |
Joined on Feb 2010
|
#10
|
I was asked on how this is done, so I thought i put some small guide on setting this up.
I'll use the term 'N900->' for commands run on the N900 and 'Laptop->' to indicated commands run on the computer you want to connect from to the N900.
I do not have the slightest idea how this would be done on a windows computer (last time i used one was 1999 , so this guide is assuming a linux OS on the computer. I'm pretty sure this can be done very similar on windows as well, I just have not the slightest bit experience there, so maybe someone else can add this information
To understand the public key authentication scheme I'll try to describe it briefly. First you create a pair of a private and a public key. These two keys are mathematically linked.
Now the private key resides on your local machine while the public key gets copied to systems that you want to connect to using ssh. Having this configured, you now don't send a password over the network but the public/private key pair is used to authenticate you.
You have the ability to encrypt the private key on your local system. In this case you still need to enter a pass phrase when logging in in, this however never leaves your system but only is used to make the private key accessible so the authentication using the public key from remote can succeed.
So what did I do to set it up (I have done this already some time ago, so some things i have to write out of my head, apologies for any mistakes and thanks for possible corrections)
0. Install ssh server
Create a password for the root user upon installation of the ssh server and remember it
Also note the ip address of the N900 so you can ssh into it to set everything up. You can do so as user by running
/sbin/ifconfig
in the X terminal. You should be connected to wlan - then there will be an ip address in the output you'll get
1. Create a private / public key pair
Do this on your laptop as the user on the laptop that you later want to be able to login to the N900.
Laptop-> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/someuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/someuser/.ssh/id_rsa.
Your public key has been saved in /home/someuser/.ssh/id_rsa.pub.
The key fingerprint is:
e8:a4:a5:81:1d:d6:81:51:8c:e2:98:73:01:e4:79:90 chuller@skaro
The key's randomart image is:
+--[ RSA 2048]----+
|o+. .*o |
|.E= o... |
| * +o . |
|+ ++ . . |
| o. o + S |
| B |
| o . |
| |
| |
+-----------------+
you can set a pass phrase to make the private key secure, however if left empty one gets the convenience of a password less login. I think it depends on how trusted and secure the laptop generally is you are working on.
Now you have two keys created in your home inside the directory .ssh:
id_rsa this is your secret key. It has to remain on you local computer. Make sure nobody can ever access it.
id_rsa.pub this is your public key. It will be copied to the remote systems that you want to ssh into.
2. Copying the public key to your N900:
Not sure what your preffered method would be, but now you have to copy the content of the public key into this file on your N900:
/home/user/.ssh/authorized_keys
I did it this way (149.44.171.3 is the ip address of my n900 at the time i write this):
Laptop-> scp ~/.ssh/id_rsa.pub root@149.44.171.3:/home/user/
Laptop-> ssh root@149.44.171.3
root@149.44.171.3's password:
Now enter the root password configured upon ssh installation and you will get logged into the n900. To add the public key to the list of authorized keys do the following:
root@N900-> su - user
user@N900-> cd ~/.ssh
user@N900-> cat ../id_rsa.pub >> authorized_keys
user@N900-> chmod 600 authorized_keys
user@N900-> ~/.ssh $ rm ../id_dsa.pub
rm: remove '../id_dsa.pub'? y
user@N900-> exit
Now the keys are in place and the public key based login is setup for ssh.
3. Next you have to enable the login for the user. One way is to set a password for him, or by editing /etc/passwd. The easy way is to simply set a password for the user:
3a. Setting password for the N900 user
root@N900-> passwd user
Changing password for user
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
Password changed.
However, I prefer to not do so and just enable the login for the user by editing the /etc/passwd:
3b. ONLY DO THIS IF YOU KNOW HOW TO USE VI
Enabling user login by editing /etc/passwd (I strongly recommend to NOT do this until you know how to handle vi and what you generally are doing!!!):
N900-> vi /etc/passwd
now look for the line starting with 'user'
in that line, replace the '!' in that line by a '*'
In my case i changed the line
user:!:29999:29999::/home/user:/bin/sh
to
user:*:29999:29999::/home/user:/bin/sh
If you have set a password for the user already, instead of the "!", you will see the some characters, that is the encrypted password for the user. In this case replace the characters by an "*"
Also here you can remove the root password that was set before when installing ssh if you want to.
/ONLY DO THIS IF YOU KNOW HOW TO USE VI/
4. Test and disable password based logins
The test is pretty easy, just try as the user on the laptop you created the keys with (in the following command do not replae 'user' by anything, you actually want to become the user 'user' on the N900):
Laptop-> ssh user@149.44.171.3
If everything went well, you now get asked not for the users password but for the pass phrase set upon creating the key pair in the beginning. If you left that empty you now can login to the N900 without having to enter any password.
If this works, I recommend to disable the password based authentication on the device. Again, this step involves editing system files in the device as root, so if you are not sure about this, DO NOT DO IT or ask somebody who knows about such things to help you:
root@N900 -> vi /etc/ssh/sshd_config
Search for these lines:
# Change to no to disable tunnelled clear text passwords
# PasswordAuthentication yes
and change them to
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Save the file and then restart sshd:
root@N900-> /etc/init.d/ssh restart
Logout and try to login as root again. If all is right the output now will look like this:
N900-> ssh root@149.44.171.3
Permission denied (publickey).
Try to login as user@149.44.171.3 and it will still work, as you have the public key on the device.
Be aware that you now can only login as the user that created the key from the machine you created the key on. If you have more users or computers you would like to access the device with, you need to repeat the steps from above.
things we learned from movies
38) No matter how badly a spaceship is attacked, its internal gravity system is never damaged.
Last edited by greygoo; 2010-01-20 at 20:13.