Notes on SSH (last updated July 4, 2002)


Note: Over the past week or so, we have been upgrading the version of ssh installed on our local systems (the bh, lnx and vn machines) in response to a security issue. In the process of doing so, we have encountered problems with the use of ssh Version 1 keys for password-less access to and from these local systems.

The proposed "fix" for such problems is to use Version 2 style keys as follows.

Step 1: On one of the local LINUX (not SGI) machines, generate an id_rsa and id_rsa.pub pair as follows (this machine will subsequently be referred to as your home machine):

% ssh-keygen -t rsa
ssh-keygen will create the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. When prompted for a passphrase, simply hit return (to use a null passphrase).

If such files already exist, ssh-keygen will warn you that you will be overwriting them if you proceed. If you get such a warning, type n to abort the key generation, since you have already generated the requisite keys.

Step 2: Copy the contents of ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on any and all machines to which you want to be able to ssh to without being prompted for a password (typically done using a text editor). This includes the machine on which you generated the key. Note that by "machines" here, I mean all clusters of machines for which you have a distinct home directory (e.g. home directories on the bh and vn machines are distinct).

The authorized_keys files can contain an arbitrary number of entries, one per line, but one of the entries must be identical to the contents of id_rsa.pub.

Step 3: Copy the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub (using scp e.g.) to ~/.ssh on any other systems on which you wish to duplicate the identity you have created in Step 1. This will effectively make your accounts on these other systems mirrors of that used in Step 1 with respect to ssh.

Sample commands:

my-workstation% cd ~/.ssh
my-workstation% scp id_rsa id_rsa.pub myaccount@somemachine.somewhere.ca:~/.ssh

Comment: Once you have generated a key pair, and have installed the keys in ~/.ssh/authorized_keys on your home machine, Steps 1 and 2 can be combined any time you get a new account to which you want password-less ssh access; i.e. when you get such an account, simply scp all three files

~/.ssh/id_rsa
~/.ssh/id_rsa.pub 
~/.ssh/authorized_keys
to ~/.ssh on the new account.
Report any problems encountered to Matt.