| === which123 is now known as myname | ||
| === myname is now known as which | ||
| === which is now known as which123 | ||
| === asac_ is now known as asac | ||
| === berlinerbaer1974 is now known as bb74 | ||
| === berlinerbaer1974 is now known as bb74 | ||
| === fdd-0 is now known as fdd | ||
| === berlinerbaer1974 is now known as bb74 | ||
| === thekorn_ is now known as thekorn | ||
| soundray_ | Hi | 20:36 |
|---|---|---|
| chamunks | hey | 20:36 |
| chamunks | So where to start? | 20:36 |
| soundray_ | What is it you're trying to do (simplified, first step)? | 20:36 |
| chamunks | ok | 20:37 |
| chamunks | sounds about right | 20:37 |
| chamunks | seems what weve narrowed it down to anyways | 20:38 |
| soundray_ | Tell me. | 20:38 |
| chamunks | Sorry i read that wrong | 20:39 |
| chamunks | ok well im trying to enable ssh to connect from my personal computers to my lan's server via ssh but am trying to omit passwords | 20:40 |
| chamunks | basically | 20:40 |
| soundray_ | Okay. How did you generate key pairs? | 20:41 |
| chamunks | ill show you where i got started http://geekybits.blogspot.com/2007/11/passwordless-login-for-ssh.html | 20:42 |
| chamunks | someone from here linked me to that earlier and i've been working through it for some time trying to customize it for my setup | 20:43 |
| soundray_ | How far did you get? | 20:43 |
| chamunks | well i got pretty much through it and from what i can gather theres something wrong with my keypairs | 20:43 |
| chamunks | because i scp'd the "id_rsa.pub" to the remote ~/.ssh/MY_Keys | 20:45 |
| chamunks | than i cat'd the text from the remote MY_keys to authorized_keys | 20:45 |
| soundray_ | Sounds good. | 20:46 |
| chamunks | some say that i should try having a file named authorized_keys in which i would assume would hold identical information | 20:46 |
| chamunks | i also cat'd in the rsa pub key from my laptop and essentially this all should work | 20:46 |
| soundray_ | Did you cat the remote ~/.ssh/MY_Keys to the remote ~/.ssh/authorized_keys ? | 20:47 |
| james_w | chamunks: you may be interested in the "ssh-copy-id" command to transfer keys across | 20:47 |
| james_w | also, seahorse offers a graphical way to do it. | 20:47 |
| soundray_ | james_w: please don't confuse chamunks at this stage | 20:47 |
| chamunks | i will keep this in mind for a later time | 20:48 |
| chamunks | go on soundray_ | 20:48 |
| soundray_ | Did you cat the remote ~/.ssh/MY_Keys to the remote ~/.ssh/authorized_keys ? | 20:48 |
| chamunks | yes i have | 20:48 |
| soundray_ | And now you're on the local (laptop I assume) and you ssh into the remote -- how? | 20:49 |
| soundray_ | Let me have the command line literally, pls | 20:49 |
| chamunks | ssh grab@192.168.100.157 | 20:50 |
| chamunks | grab would be the user on the server side | 20:50 |
| soundray_ | What exactly happens then? | 20:50 |
| chamunks | it prompts me for a password | 20:50 |
| soundray_ | chamunks: for the passphrase or the remote user's password? | 20:51 |
| chamunks | it says "grab@192.168.100.157's password: | 20:51 |
| chamunks | i didnt generate my pairs with passphrases so there should be no prompt for them afaik | 20:51 |
| soundray_ | chamunks: double checking: the remote ~/.ssh is /home/grab/.ssh ? | 20:52 |
| chamunks | yep | 20:52 |
| soundray_ | chamunks: and the permissions on all the files in there are 600? | 20:53 |
| chamunks | I will confirm that now 1 min | 20:53 |
| chamunks | im getting permission denied when i try to ls .ssh/ | 20:55 |
| soundray_ | chamunks: maybe the directory itself is 600 -- it should be 700. ls -ld /home/grab/.ssh | 20:55 |
| soundray_ | And owned by grab of course | 20:56 |
| soundray_ | Are you running back and forth to check this? | 20:57 |
| chamunks | so contents should be 0600 and the directory should be 0700? | 20:58 |
| soundray_ | Yes | 20:58 |
| soundray_ | I'm expecting a phone call any minute, so if I drop out, that will be the reason | 20:59 |
| chamunks | ok should i wait up? | 20:59 |
| chamunks | if so how long? | 20:59 |
| soundray_ | Better not wait - could take long. | 21:00 |
| soundray_ | Anyway, what's the deal on the permissions? | 21:00 |
| chamunks | ok i setup the contents to 0600 and the directory to 0700 and owner to grab | 21:00 |
| chamunks | so thats all good | 21:00 |
| soundray_ | Was it like that? | 21:01 |
| soundray_ | Or did you have to change it? | 21:01 |
| chamunks | i changed it | 21:01 |
| chamunks | so ill try login again | 21:01 |
| soundray_ | If you changed something, retry ssh grab@192.168.100.157 | 21:01 |
| chamunks | ok its still asking for a password. | 21:02 |
| soundray_ | Sorry, that's my 2c | 21:02 |
| chamunks | allright ill c u later thanks for the help for now | 21:03 |
| soundray_ | Maybe ask the channel again -- I'll try and pop in later to see how you got on. | 21:03 |
| chamunks | thanks i have to pop into work so i may / may not still be around | 21:03 |
| chamunks | james_w, would you be able to help me? | 21:04 |
| ompaul | chamunks, wait 5 | 21:04 |
| chamunks | sure | 21:04 |
| ompaul | chamunks, want some theory about what you are about to do or just dive in? | 21:06 |
| chamunks | sure | 21:06 |
| chamunks | ill go for some theory | 21:07 |
| chamunks | but we could probably dive right in too | 21:07 |
| ompaul | just a sec I'll be free in 60 second or so | 21:07 |
| chamunks | k | 21:07 |
| ompaul | chamunks, ok - the theory - consider a key and a lock | 21:09 |
| chamunks | ok i think im good | 21:09 |
| ompaul | you are putting a lock on the far machine with the ssh-key | 21:09 |
| ompaul | the key on your local machine gets you there ;-) | 21:09 |
| ompaul | ok so far? | 21:10 |
| chamunks | yep yep | 21:10 |
| chamunks | go on | 21:10 |
| ompaul | so first can you log into the far end machine i.e. the server | 21:10 |
| ompaul | cd .ssh | 21:10 |
| ompaul | ^^ do that | 21:10 |
| chamunks | omw | 21:10 |
| chamunks | done | 21:11 |
| ompaul | are you intending to log in from more than one machine to this box? | 21:11 |
| chamunks | using the keyfiles yes | 21:11 |
| chamunks | other users can use regular login credentials | 21:12 |
| ompaul | ok | 21:12 |
| ompaul | so in this directory we are going to be looking at two one main file | 21:13 |
| ompaul | chamunks, this file is called authorized_keys | 21:13 |
| chamunks | ok | 21:13 |
| chamunks | sudo nano authorized_keys? | 21:14 |
| ompaul | no | 21:14 |
| ompaul | that would be crude ;-) | 21:14 |
| ompaul | is there anything in there at this point - that is useful? | 21:14 |
| ompaul | i.e. functioning? | 21:14 |
| chamunks | i have the two public keys from the two computers i would like to enable passwordless access to | 21:15 |
| chamunks | and the authorized_keys file | 21:15 |
| ompaul | no it would be from in here | 21:15 |
| ompaul | ok lets step back a moment | 21:15 |
| ompaul | the way I start off with no access to a box is this on my client side i.e. the box that wants to log into the other box I do this | 21:16 |
| chamunks | where to? | 21:16 |
| ompaul | so on the client I do this | 21:16 |
| ompaul | ssh-keygen -t rsa | 21:16 |
| ompaul | this generates two files on the client machine | 21:17 |
| ompaul | id_rsa and id_rsa.pub | 21:17 |
| ompaul | the with that is not called .pub is your secret key | 21:17 |
| chamunks | rsa seems to be what most use now | 21:17 |
| ompaul | id_rsa <<<< this one | 21:17 |
| chamunks | so ill stick with rsa and regenerate a new key pair | 21:17 |
| ompaul | the other one you can stick on a web server or anywhere | 21:17 |
| chamunks | and follow along here | 21:18 |
| ompaul | ok then on the server lets get a few things straight | 21:18 |
| ompaul | are you currently logging into anywhere automatically to the server up to this moment? | 21:18 |
| ompaul | I will want you to clean out rubbish which is why I am trying to get you to tell me what you have in there | 21:19 |
| chamunks | ok well ill clear out all my .ssh folders if you like so we can start a new | 21:19 |
| ompaul | that would be very good of you cos it means we will have you working in 5 mins | 21:20 |
| ompaul | if you can type as fast as me ;-) | 21:20 |
| ompaul | on the client open a terminal | 21:20 |
| chamunks | dont know my wpm but ill do what i can ;) | 21:20 |
| ompaul | in the terminal type the following | 21:20 |
| ompaul | ssh-keygen -t rsa | 21:20 |
| ompaul | tell me when it is done | 21:20 |
| ompaul | (Assuming you have both directories on both machines empty at this time) | 21:21 |
| chamunks | ok done | 21:21 |
| ompaul | is my assumption safe? | 21:21 |
| chamunks | ill just do this once on my desktop here and recreate it all later on my laptop | 21:21 |
| chamunks | yeop | 21:21 |
| chamunks | yep | 21:21 |
| ompaul | ko | 21:21 |
| ompaul | then type this: | 21:21 |
| ompaul | On the CLIENT machine: scp id_rsa.pub username@SERVER:/home/user/.ssh/source-box-name.pub | 21:22 |
| ompaul | it will ask you for your password to the far end machine | 21:23 |
| ompaul | you do that in the .ssh directory (but I guess you know that) | 21:23 |
| ompaul | are you done? | 21:23 |
| chamunks | yep | 21:23 |
| ompaul | in the terminal open on the server | 21:23 |
| ompaul | type this | 21:23 |
| chamunks | is it ok that im only ssh'd into the terminal and have no direct access? | 21:24 |
| ompaul | cat source-box-name.pub > authorized_keys | 21:24 |
| ompaul | it is ok | 21:24 |
| ompaul | now close your session from the desktop to the server | 21:24 |
| ompaul | type | 21:25 |
| ompaul | ssh -C username@SERVER | 21:25 |
| chamunks | ok both authorized_keys and sbn.pub are in that folder | 21:25 |
| ompaul | fine | 21:25 |
| ompaul | so now have you typed this: ompaul> ssh -C username@SERVER | 21:25 |
| chamunks | well thank you ompaul | 21:25 |
| chamunks | that worked rather well | 21:26 |
| ompaul | not finished yet | 21:26 |
| chamunks | it says im logged in, go on | 21:26 |
| ompaul | close that | 21:26 |
| ompaul | go to the laptop | 21:26 |
| chamunks | ok on the laptop (i dont have an irc client on there but its here) | 21:27 |
| ompaul | there is one gotcha it has to do with shell redirection do you know what I am talking about#? | 21:27 |
| ompaul | clean out the .ssh folder before we start up here | 21:27 |
| chamunks | .ssh clean | 21:27 |
| ompaul | ok | 21:27 |
| chamunks | whats this gotcha | 21:28 |
| ompaul | I'll name it before I type it | 21:28 |
| ompaul | first | 21:28 |
| ompaul | ssh-keygen -t rsa | 21:28 |
| chamunks | done | 21:28 |
| ompaul | scp id_rsa.pub username@SERVER:/home/user/.ssh/second-source-box-name.pub | 21:28 |
| ompaul | gotcha is on the next line it is the >> to append not overwrite the authorized_keys file | 21:29 |
| ompaul | cat source-box-name.pub >> authorized_keys | 21:29 |
| ompaul | cos if you did > there you would overwrite the first key you had in there ;-) | 21:30 |
| chamunks | ahh that is something i did not know about cat | 21:30 |
| ompaul | it is about shell redirection | 21:30 |
| ompaul | if I want to take the output of ls -al > file | 21:30 |
| ompaul | if I do the same tomorrow it overwrites file | 21:30 |
| ompaul | if however I do ls -al >> file | 21:31 |
| ompaul | then I get two days worth (if there was ever any value in ls -al in the first place ;-) | 21:31 |
| ompaul | ) | 21:31 |
| ompaul | if the server ip changes you have problems with the hosts file it warns you about all sorts of evils like the man in the middle attack etc | 21:32 |
| ompaul | so then you can remove the line if you are happy with the network | 21:32 |
| chamunks | hmm | 21:33 |
| chamunks | thats verry handy | 21:33 |
| chamunks | so you dont allways have to write cat unless you need to append contents of one file to another | 21:33 |
| ompaul | well you can take the output of a command with | and pass it to the next one | 21:34 |
| chamunks | in cases where your saving output (loging mayhaps) you just write >(replace) or >> (to append) | 21:34 |
| ompaul | logging is a special use case and appending is normal but there are times when fresh logs are better | 21:34 |
| ompaul | if you have a compile time error ;-) | 21:34 |
| ompaul | you change the source the old version is no use if you keep removing the last bug | 21:35 |
| ompaul | so there ya go | 21:35 |
| chamunks | ompaul, this is kindof above what i've learned so far but its good to have been taught this | 21:35 |
| ompaul | you could have added a password to the ssh-keygen -t rsa point if you wanted a password on the key | 21:35 |
| ompaul | in case you might be afk and would be afraid that someone could take your seat and do stuff | 21:36 |
| ompaul | if you had auto logins not logged in ;-) | 21:36 |
| ompaul | however it is a great reason to have a screen saver or logout policy | 21:36 |
| chamunks | yeah no kidding. | 21:37 |
| ompaul | you don't want to be offering your access to the next person | 21:37 |
| chamunks | may i ask why the -C in the ssh command? | 21:37 |
| ompaul | compress | 21:37 |
| ompaul | it helps even on a home lan with only two machines | 21:37 |
| chamunks | ok so a good one to just append | 21:37 |
| ompaul | so if you have X running on both boxes you could do this kind of thing | 21:37 |
| ompaul | ssh -X user@other-box xterm | 21:38 |
| ompaul | and run on your local box an xterm from the other machine | 21:38 |
| ompaul | (how I play music is ogg123) but not on this box | 21:38 |
| ompaul | I just control it from here | 21:39 |
| ompaul | but then I am sad ;-) | 21:39 |
| chamunks | heh | 21:40 |
| ompaul | someone just told me in a pm - not sad, just creatively mad | 21:40 |
| * ompaul is chuckling | 21:40 | |
| chamunks | im going to use that one | 21:40 |
| ompaul | anyone got any other funky stuff they want to do with ssh or would like to "show and tel" | 21:41 |
| ompaul | tell that is | 21:41 |
| ompaul | suppose you wanted to lock the file from a domain or machine in a domain | 21:42 |
| ompaul | but not elsewhere | 21:42 |
| ompaul | you could do this: | 21:42 |
| ompaul | have a file called "authorization" in the .ssh directory | 21:42 |
| chamunks | well one of the reasons why i wanted this was so that i could automount a remote directory via ssh containing my music for amarok so i could use amarok to sort my library as it grows | 21:42 |
| ompaul | in it have the the following lines | 21:43 |
| ompaul | Key box-key.pub | 21:43 |
| ompaul | Options allow-from="friendly.domain" | 21:43 |
| ompaul | or -- (this line not in file) | 21:44 |
| ompaul | Options deny-from="very.evil.domain" | 21:44 |
| ompaul | ssh is so vast that one could write a book about it, fortunately some people have | 21:45 |
| chamunks | at this point why would anyone use anything else lol | 21:45 |
| chamunks | unless they dont care about other viewers that is | 21:45 |
| ompaul | because vnc and krdc work well together in "OpenVPN" | 21:46 |
| chamunks | chamunks, is intreigued | 21:47 |
| ompaul | be aware that you can then disable passwords for logging on | 21:47 |
| ompaul | with openssh so that unless you are at the machine the only way in is ssh | 21:47 |
| ompaul | this means we trust the ssh server code | 21:48 |
| ompaul | and given where it comes from it is reasonable to assume that it is ok - but it still needs testing | 21:48 |
| chamunks | good ole openbsd team | 21:48 |
| ompaul | if you wanted to wander around a file system top copy something you could use the somewhat deprecated sftp | 21:50 |
| chamunks | top copy? | 21:51 |
| ompaul | it behaves a little like ftp but is not half as cute as scp :) | 21:51 |
| ompaul | secure F T P | 21:51 |
| ompaul | to copy | 21:51 |
| chamunks | ahh | 21:52 |
| chamunks | now youve touched on openvpn mind giving me a debrief on vpns? | 21:52 |
| ompaul | can I do that justice ;-) | 21:53 |
| ompaul | I suppose so | 21:53 |
| chamunks | i shouldnt ask you to after all the help you already gave me and my friends getting rather upset that im not there to enjoy apple pie yet (oops) | 21:53 |
| ompaul | go grab the pie | 21:53 |
| ompaul | I have to do a config of openvpn at some stage tonight but it is highly customised | 21:54 |
| chamunks | oh i have to bicycle a half hour to get that this delicious debrief is right here | 21:54 |
| ompaul | what I will do with you | 21:54 |
| ompaul | about openvpn is give you a url read this page | 21:54 |
| chamunks | ok that sounds good | 21:54 |
| chamunks | good ole lit for later enjoyment | 21:54 |
| ompaul | http://www.openvpn.net/index.php/documentation/howto.html | 21:55 |
| ompaul | for anyone who has not been on the OpenVPN site in a while it has been totally changed but all the good data is still there | 21:55 |
| ompaul | obviously the install method for Ubuntu / Debian or others in the same family are difference but the configs are the same | 21:56 |
| chamunks | ompaul, well many thanks for your time. You have been immensely helpful. | 21:59 |
| emmet_ | #ubutu-canada | 23:54 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!