The following procedure sets up a public key system where the client's public key is used for authentication on the server. The user must also create a public/private key pair.
In the procedure, the terms client and local host refer to the machine where a user types the ssh command. The terms server and remote host refer to the machine that the client is trying to reach.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
On the client, enable host-based authentication.
In the client configuration file, /etc/ssh/ssh_config, type the following entry:
HostbasedAuthentication yes |
For the syntax of the file, see the ssh_config(4) man page
On the server, enable host-based authentication.
In the server configuration file, /etc/ssh/sshd_config, type the same entry:
HostbasedAuthentication yes |
For the syntax of the file, see the sshd_config(4) man page
On the server, configure a file that enables the client to be recognized as a trusted host.
For more information, see the FILES section of the sshd(1M) man page.
On the server, ensure that the sshd daemon can access the list of trusted hosts.
Set IgnoreRhosts to no in the /etc/ssh/sshd_config file.
## sshd_config IgnoreRhosts no |
Ensure that users of Solaris Secure Shell at your site have accounts on both hosts.
Do one of the following to put the client's public key on the server.
Modify the sshd_config file on the server, then instruct your users to add the client's public host keys to their ~/.ssh/known_hosts file.
## sshd_config IgnoreUserKnownHosts no |
For user instructions, see How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell.
Copy the client's public key to the server.
The host keys are stored in the /etc/ssh directory. The keys are typically generated by the sshd daemon on first boot.
Add the key to the /etc/ssh/ssh_known_hosts file on the server.
On the client, type the command on one line with no backslash.
# cat /etc/ssh/ssh_host_dsa_key.pub | ssh RemoteHost \ 'cat >> /etc/ssh/ssh_known_hosts && echo "Host key copied"' |
When you are prompted, supply your login password.
When the file is copied, the message “Host key copied” is displayed.
Each line in the /etc/ssh/ssh_known_hosts file consists of fields that are separated by spaces:
hostnames algorithm-name publickey comment |
Edit the /etc/ssh/ssh_known_hosts file and add RemoteHost as the first field in the copied entry.
## /etc/ssh/ssh_known_hosts File RemoteHost <copied entry> |
In the following example, each host is configured as a server and as a client. A user on either host can initiate an ssh connection to the other host. The following configuration makes each host a server and a client:
On each host, the Solaris Secure Shell configuration files contain the following entries:
## /etc/ssh/ssh_config HostBasedAuthentication yes # ## /etc/ssh/sshd_config HostBasedAuthentication yes IgnoreRhosts no |
On each host, the shosts.equiv file contains an entry for the other host:
## /etc/ssh/shosts.equiv on machine2 machine1 |
## /etc/ssh/shosts.equiv on machine1 machine2 |
The public key for each host is in the /etc/ssh/ssh_known_hosts file on the other host:
## /etc/ssh/ssh_known_hosts on machine2 … machine1 |
## /etc/ssh/ssh_known_hosts on machine1 … machine2 |
Users have an account on both hosts:
## /etc/passwd on machine1 jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh |
## /etc/passwd on machine2 jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh |