The previous articles (openSSH to openSSH setup, SSH2 to SSH2 setup) explains about how to setup key based authentication on the same version of ssh to perform ssh and scp without entering password. This article explains how to setup SSH key based authentication between different version of SSH (from openSSH to SSH2) to perform ssh and scp without entering password.
1. Verify the local-host and remote-host SSH version.
In this example, local-host is running on openSSH and remote-host is running on SSH2.
[local-host]$ ssh -V OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007 [remote-host]$ ssh -V ssh: SSH Secure Shell 220.127.116.11 (non-commercial version) on i686-pc-linux-gnu [remote-host]$ ls -l /usr/local/bin/ssh lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2
2. Generate key-pair on the local-host using ssh-keygen
[local-host]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter> Enter passphrase (empty for no passphrase): <Enter your passphrase here> Enter same passphrase again:<Enter your passphrase again> Your identification has been saved in /home/jsmith/.ssh/id_rsa. Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub. The key fingerprint is: 3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad jsmith@local-host
The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.
By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.
3. Convert openSSH public key to SSH2 public key.
On local-host that is running openSSH, convert the openSSH public key to SSH2 public key using ssh-keygen as shown below.
[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub
4. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.
[remote-host]$ vi ~/.ssh2/local-host_ssh2_key.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by jsmith@local-host"
---- END SSH2 PUBLIC KEY ----
Add the above public key file name to the authorization file on the remote-host as shown below.
[remote-host]$ vi ~/.ssh2/authorization
5. Verify the Login from the local-host to remote-host using the SSH2 key authentication.
[local-host]$ ssh -l jsmith remote-host <You are on local-host here> The authenticity of host 'local-host' can't be established. DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'local-host' (DSA) to the list of known hosts. Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here> Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102 No mail. [remote-host]$ <You are on remote-host here>
There are two ways to perform ssh and scp without entering the password:
- No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
- Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
6. Start the SSH Agent on local-host
The SSH Agent will be running in the background to hold the private keys and perform ssh and scp without having to enter the passphrase several times.
[local-host]$ ssh-agent $SHELL
7. Load the private key to the SSH agent on the local-host.
[local-host]$ ssh-add Enter passphrase for /home/jsmith/.ssh/id_rsa:<Enter your passphrase here> Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)
8. Perform SSH or SCP to remote-home from local-host without entering the password.
[local-host]$<You are on local-host here> [local-host]$ ssh -l jsmith remote-host Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102 No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>
Get the Linux Sysadmin Course Now!