[20:36] <soundray_> Hi
[20:36] <chamunks> hey
[20:36] <chamunks> So where to start?
[20:36] <soundray_> What is it you're trying to do (simplified, first step)?
[20:37] <chamunks> ok
[20:37] <chamunks> sounds about right
[20:38] <chamunks> seems what weve narrowed it down to anyways
[20:38] <soundray_> Tell me.
[20:39] <chamunks> Sorry i read that wrong
[20:40] <chamunks> ok well im trying to enable ssh to connect from my personal computers to my lan's server via ssh but am trying to omit passwords
[20:40] <chamunks> basically
[20:41] <soundray_> Okay. How did you generate key pairs?
[20:42] <chamunks> ill show you where i got started http://geekybits.blogspot.com/2007/11/passwordless-login-for-ssh.html
[20:43] <chamunks> someone from here linked me to that earlier and i've been working through it for some time trying to customize it for my setup
[20:43] <soundray_> How far did you get?
[20:43] <chamunks> well i got pretty much through it and from what i can gather theres something wrong with my keypairs
[20:45] <chamunks> because i scp'd the "id_rsa.pub" to the remote ~/.ssh/MY_Keys
[20:45] <chamunks> than i cat'd the text from the remote MY_keys to authorized_keys
[20:46] <soundray_> Sounds good.
[20:46] <chamunks> some say that i should try having a file named authorized_keys in which i would assume would hold identical information
[20:46] <chamunks> i also cat'd in the rsa pub key from my laptop and essentially this all should work
[20:47] <soundray_> Did you cat the remote ~/.ssh/MY_Keys to the remote ~/.ssh/authorized_keys ?
[20:47] <james_w> chamunks: you may be interested in the "ssh-copy-id" command to transfer keys across
[20:47] <james_w> also, seahorse offers a graphical way to do it.
[20:47] <soundray_> james_w: please don't confuse chamunks at this stage
[20:48] <chamunks> i will keep this in mind for a later time
[20:48] <chamunks> go on soundray_
[20:48] <soundray_> Did you cat the remote ~/.ssh/MY_Keys to the remote ~/.ssh/authorized_keys ?
[20:48] <chamunks> yes i have
[20:49] <soundray_> And now you're on the local (laptop I assume) and you ssh into the remote -- how?
[20:49] <soundray_> Let me have the command line literally, pls
[20:50] <chamunks> ssh grab@192.168.100.157
[20:50] <chamunks> grab would be the user on the server side
[20:50] <soundray_> What exactly happens then?
[20:50] <chamunks> it prompts me for a password
[20:51] <soundray_> chamunks: for the passphrase or the remote user's password?
[20:51] <chamunks> it says "grab@192.168.100.157's password:
[20:51] <chamunks> i didnt generate my pairs with passphrases so there should be no prompt for them afaik
[20:52] <soundray_> chamunks: double checking: the remote ~/.ssh is /home/grab/.ssh ?
[20:52] <chamunks> yep
[20:53] <soundray_> chamunks: and the permissions on all the files in there are 600?
[20:53] <chamunks> I will confirm that now 1 min
[20:55] <chamunks> im getting permission denied when i try to ls .ssh/
[20:55] <soundray_> chamunks: maybe the directory itself is 600 -- it should be 700. ls -ld /home/grab/.ssh
[20:56] <soundray_> And owned by grab of course
[20:57] <soundray_> Are you running back and forth to check this?
[20:58] <chamunks> so contents should be 0600 and the directory should be 0700?
[20:58] <soundray_> Yes
[20:59] <soundray_> I'm expecting a phone call any minute, so if I drop out, that will be the reason
[20:59] <chamunks> ok should i wait up?
[20:59] <chamunks> if so how long?
[21:00] <soundray_> Better not wait - could take long.
[21:00] <soundray_> Anyway, what's the deal on the permissions?
[21:00] <chamunks> ok i setup the contents to 0600 and the directory to 0700 and owner to grab
[21:00] <chamunks> so thats all good
[21:01] <soundray_> Was it like that?
[21:01] <soundray_> Or did you have to change it?
[21:01] <chamunks> i changed it
[21:01] <chamunks> so ill try login again
[21:01] <soundray_> If you changed something, retry ssh grab@192.168.100.157
[21:02] <chamunks> ok its still asking for a password.
[21:02] <soundray_> Sorry, that's my 2c
[21:03] <chamunks> allright ill c u later thanks for the help for now
[21:03] <soundray_> Maybe ask the channel again -- I'll try and pop in later to see how you got on.
[21:03] <chamunks> thanks i have to pop into work so i may / may not still be around
[21:04] <chamunks> james_w, would you be able to help me?
[21:04] <ompaul> chamunks, wait 5
[21:04] <chamunks> sure
[21:06] <ompaul> chamunks, want some theory about what you are about to do or just dive in?
[21:06] <chamunks> sure
[21:07] <chamunks> ill go for some theory
[21:07] <chamunks> but we could probably dive right in too
[21:07] <ompaul> just a sec I'll be free in 60 second or so
[21:07] <chamunks> k
[21:09] <ompaul> chamunks, ok - the theory - consider a key and a lock
[21:09] <chamunks> ok i think im good
[21:09] <ompaul> you are putting a lock on the far machine with the ssh-key
[21:09] <ompaul> the key on your local machine gets you there ;-)
[21:10] <ompaul> ok so far?
[21:10] <chamunks> yep yep
[21:10] <chamunks> go on
[21:10] <ompaul> so first can you log into the far end machine i.e. the server
[21:10] <ompaul> cd .ssh
[21:10] <ompaul> ^^ do that
[21:10] <chamunks> omw
[21:11] <chamunks> done
[21:11] <ompaul> are you intending to log in from more than one machine to this box?
[21:11] <chamunks> using the keyfiles yes
[21:12] <chamunks> other users can use regular login credentials
[21:12] <ompaul> ok
[21:13] <ompaul> so in this directory we are going to be looking at two one main file
[21:13] <ompaul> chamunks, this file is called authorized_keys
[21:13] <chamunks> ok
[21:14] <chamunks> sudo nano authorized_keys?
[21:14] <ompaul> no
[21:14] <ompaul> that would be crude ;-)
[21:14] <ompaul> is there anything in there at this point - that is useful?
[21:14] <ompaul> i.e. functioning?
[21:15] <chamunks> i have the two public keys from the two computers i would like to enable passwordless access to
[21:15] <chamunks> and the authorized_keys file
[21:15] <ompaul> no it would be from in here
[21:15] <ompaul> ok lets step back a moment
[21:16] <ompaul> the way I start off with no access to a box is this on my client side i.e. the box that wants to log into the other box I do this
[21:16] <chamunks> where to?
[21:16] <ompaul> so on the client I do this
[21:16] <ompaul> ssh-keygen -t rsa
[21:17] <ompaul> this generates two files on the client machine
[21:17] <ompaul> id_rsa and id_rsa.pub
[21:17] <ompaul> the with that is not called .pub is your secret key
[21:17] <chamunks> rsa seems to be what most use now
[21:17] <ompaul> id_rsa <<<< this one
[21:17] <chamunks> so ill stick with rsa and regenerate a new key pair
[21:17] <ompaul> the other one you can stick on a web server or anywhere
[21:18] <chamunks> and follow along here
[21:18] <ompaul> ok then on the server lets get a few things straight
[21:18] <ompaul> are you currently logging into anywhere automatically to the server up to this moment?
[21:19] <ompaul> I will want you to clean out rubbish which is why I am trying to get you to tell me what you have in there
[21:19] <chamunks> ok well ill clear out all my .ssh folders if you like so we can start a new
[21:20] <ompaul> that would be very good of you cos it means we will have you working in 5 mins
[21:20] <ompaul> if you can type as fast as me ;-)
[21:20] <ompaul> on the client open a terminal
[21:20] <chamunks> dont know my wpm but ill do what i can ;)
[21:20] <ompaul> in the terminal type the following
[21:20] <ompaul> ssh-keygen -t rsa
[21:20] <ompaul> tell me when it is done
[21:21] <ompaul> (Assuming you have both directories on both machines empty at this time)
[21:21] <chamunks> ok done
[21:21] <ompaul> is my assumption safe?
[21:21] <chamunks> ill just do this once on my desktop here and recreate it all later on my laptop
[21:21] <chamunks> yeop
[21:21] <chamunks> yep
[21:21] <ompaul> ko
[21:21] <ompaul> then type this:
[21:22] <ompaul> On the CLIENT machine:       scp id_rsa.pub username@SERVER:/home/user/.ssh/source-box-name.pub
[21:23] <ompaul> it will ask you for your password to the far end machine
[21:23] <ompaul> you do that in the .ssh directory (but I guess you know that)
[21:23] <ompaul> are you done?
[21:23] <chamunks> yep
[21:23] <ompaul> in the terminal open on the server
[21:23] <ompaul> type this
[21:24] <chamunks> is it ok that im only ssh'd into the terminal and have no direct access?
[21:24] <ompaul> cat source-box-name.pub > authorized_keys
[21:24] <ompaul> it is ok
[21:24] <ompaul> now close your session from the desktop to the server
[21:25] <ompaul> type
[21:25] <ompaul> ssh -C username@SERVER
[21:25] <chamunks> ok both authorized_keys and sbn.pub are in that folder
[21:25] <ompaul> fine
[21:25] <ompaul> so now have you typed this:   ompaul> ssh -C username@SERVER
[21:25] <chamunks> well thank you ompaul
[21:26] <chamunks> that worked rather well
[21:26] <ompaul> not finished yet
[21:26] <chamunks> it says im logged in, go on
[21:26] <ompaul> close that
[21:26] <ompaul> go to the laptop
[21:27] <chamunks> ok on the laptop (i dont have an irc client on there but its here)
[21:27] <ompaul> there is one gotcha it has to do with shell redirection do you know what I am talking about#?
[21:27] <ompaul> clean out the .ssh folder before we start up here
[21:27] <chamunks> .ssh clean
[21:27] <ompaul> ok
[21:28] <chamunks> whats this gotcha
[21:28] <ompaul> I'll name it before I type it
[21:28] <ompaul> first
[21:28] <ompaul> ssh-keygen -t rsa
[21:28] <chamunks> done
[21:28] <ompaul> scp id_rsa.pub username@SERVER:/home/user/.ssh/second-source-box-name.pub
[21:29] <ompaul> gotcha is on the next line it is the >> to append not overwrite the authorized_keys file
[21:29] <ompaul> cat source-box-name.pub >> authorized_keys
[21:30] <ompaul> cos if you did > there you would overwrite the first key you had in there ;-)
[21:30] <chamunks> ahh that is something i did not know about cat
[21:30] <ompaul> it is about shell redirection
[21:30] <ompaul> if I want to take the output of ls -al >  file
[21:30] <ompaul> if I do the same tomorrow it overwrites file
[21:31] <ompaul> if however I do ls -al >> file
[21:31] <ompaul> then I get two days worth (if there was ever any value in ls -al in the first place ;-)
[21:31] <ompaul> )
[21:32] <ompaul> if the server ip changes you have problems with the hosts file it warns you about all sorts of evils like the man in the middle attack etc
[21:32] <ompaul> so then you can remove the line if you are happy with the network
[21:33] <chamunks> hmm
[21:33] <chamunks> thats verry handy
[21:33] <chamunks> so you dont allways have to write cat unless you need to append contents of one file to another
[21:34] <ompaul> well you can take the output of a command with | and pass it to the next one
[21:34] <chamunks> in cases where your saving output (loging mayhaps) you just write >(replace) or >> (to append)
[21:34] <ompaul> logging is a special use case and appending is normal but there are times when fresh logs are better
[21:34] <ompaul> if you have a compile time error ;-)
[21:35] <ompaul> you change the source the old version is no use if you keep removing the last bug
[21:35] <ompaul> so there ya go
[21:35] <chamunks> ompaul, this is kindof above what i've learned so far but its good to have been taught this
[21:35] <ompaul> you could have added a password to the ssh-keygen -t rsa point if you wanted a password on the key
[21:36] <ompaul> in case you might be afk and would be afraid that someone could take your seat and do stuff
[21:36] <ompaul> if you had auto logins not logged in ;-)
[21:36] <ompaul> however it is a great reason to have a screen saver or logout policy
[21:37] <chamunks> yeah no kidding.
[21:37] <ompaul> you don't want to be offering your access to the next person
[21:37] <chamunks> may i ask why the -C in the ssh command?
[21:37] <ompaul> compress
[21:37] <ompaul> it helps even on a home lan with only two machines
[21:37] <chamunks> ok so a good one to just append
[21:37] <ompaul> so if you have X running on both boxes you could do this kind of thing
[21:38] <ompaul> ssh -X user@other-box xterm
[21:38] <ompaul> and run on your local box an xterm from the other machine
[21:38] <ompaul> (how I play music is ogg123) but not on this box
[21:39] <ompaul> I just control it from here
[21:39] <ompaul> but then I am sad ;-)
[21:40] <chamunks> heh
[21:40] <ompaul> someone just told me in a pm - not sad, just creatively mad
[21:40]  * ompaul is chuckling
[21:40] <chamunks> im going to use that one
[21:41] <ompaul> anyone got any other funky stuff they want to do with ssh or would like to "show and tel"
[21:41] <ompaul> tell that is
[21:42] <ompaul> suppose you wanted to lock the file from a domain or machine in a domain
[21:42] <ompaul> but not elsewhere
[21:42] <ompaul> you could do this:
[21:42] <ompaul> have a file called "authorization" in the .ssh directory
[21:42] <chamunks> well one of the reasons why i wanted this was so that i could automount a remote directory via ssh containing my music for amarok so i could use amarok to sort my library as it grows
[21:43] <ompaul> in it have the the following lines
[21:43] <ompaul> Key box-key.pub
[21:43] <ompaul> Options allow-from="friendly.domain"
[21:44] <ompaul> or -- (this line not in file)
[21:44] <ompaul> Options deny-from="very.evil.domain"
[21:45] <ompaul> ssh is so vast that one could write a book about it, fortunately some people have
[21:45] <chamunks> at this point why would anyone use anything else lol
[21:45] <chamunks> unless they dont care about other viewers that is
[21:46] <ompaul> because vnc and krdc work well together in "OpenVPN"
[21:47] <chamunks> chamunks, is intreigued
[21:47] <ompaul> be aware that you can then disable passwords for logging on
[21:47] <ompaul> with openssh so that unless you are at the machine the only way in is ssh
[21:48] <ompaul> this means we trust the ssh server code
[21:48] <ompaul> and given where it comes from it is reasonable to assume that it is ok - but it still needs testing
[21:48] <chamunks> good ole openbsd team
[21:50] <ompaul> if you wanted to wander around a file system top copy something you could use the somewhat deprecated sftp
[21:51] <chamunks> top copy?
[21:51] <ompaul> it behaves a little like ftp but is not half as cute as scp :)
[21:51] <ompaul> secure F T P
[21:51] <ompaul> to copy
[21:52] <chamunks> ahh
[21:52] <chamunks> now youve touched on openvpn mind giving me a debrief on vpns?
[21:53] <ompaul> can I do that justice ;-)
[21:53] <ompaul> I suppose so
[21:53] <chamunks> i shouldnt ask you to after all the help you already gave me and my friends getting rather upset that im not there to enjoy apple pie yet (oops)
[21:53] <ompaul> go grab the pie
[21:54] <ompaul> I have to do a config of openvpn at some stage tonight but it is highly customised
[21:54] <chamunks> oh i have to bicycle a half hour to get that this delicious debrief is right here
[21:54] <ompaul> what I will do with you
[21:54] <ompaul> about openvpn is give you a url read this page
[21:54] <chamunks> ok that sounds good
[21:54] <chamunks> good ole lit for later enjoyment
[21:55] <ompaul> http://www.openvpn.net/index.php/documentation/howto.html
[21:55] <ompaul> for anyone who has not been on the OpenVPN site in a while it has been totally changed but all the good data is still there
[21:56] <ompaul> obviously the install method for Ubuntu / Debian or others in the same family are difference but the configs are the same
[21:59] <chamunks> ompaul, well many thanks for your time.  You have been immensely helpful.
[23:54] <emmet_> #ubutu-canada