JIYIK CN >

In our previous article, we discussed how to set up ssh key-based authentication to perform ssh and scp without a password in the following three scenarios:

1. OpenSSH to OpenSSH
2. OpenSSH to SSH2
3. SSH2 to SSH2

In this article, I will explain how to do ssh and scp from SSH2 (local host) to OpenSSH (remote host) without a password.

1. Identify the local host and remote host SSH version

In this example, the local host is running SSH2 and the remote host is running OpenSSH.

[jiyik.com@local-host]$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu

[jiyik.com@remote-host]$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

2. Use ssh-keygen2 to generate an SSH2 authentication key pair on the local host

On SSH2, ssh-keygenthis will be ssh-keygen2a soft link to , as shown below.

[jiyik.com@local-host]$ ls -l /usr/local/bin/ssh-keygen
lrwxrwxrwx  1 root root 11 Jul 31  2006 /usr/local/bin/ssh-keygen -> ssh-keygen2

[jiyik.com@local-host]$ ssh-keygen
Generating 2048-bit dsa key pair
7 o.oOo..oOo.o
Key generated.
2048-bit dsa, jiyik@local-host, Sun Oct 19 2022 14:49:42 -0700
Passphrase : [Enter the password here]
Again      :
Private key saved to /home/jiyik/.ssh2/id_dsa_2048_a
Public key saved to /home/jiyik/.ssh2/id_dsa_2048_a.pub

The public and private keys are stored in the .ssh2 folder under your home directory. In this case, it is located under /home/jiyik/.ssh2 .

我们不应与任何人共享私钥.

By default, ssh-keygen2a DSA (Digital Signature Algorithm) key pair is generated. We can also generate an RSA key pair as shown below.

[jiyik.com@local-host]$ ssh-keygen -t rsa

3. Copy the SSH2 public key from the local host to the remote host running OpenSSH

Copy the local host: /home/jiyik/.ssh2/id_dsa_2048_a.pub file to the remote host: /home/jiyik/.ssh/id_dsa_1024_a.pub . Execute on the remote host vi /home/jiyik/.ssh/id_dsa_1024_b.puband copy the contents of the public key from the local host.

[jiyik.com@remote-host]$ vi /home/jsmith/.ssh/id_dsa_1024_a.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: jsmith
Comment: "2048-bit dsa, jsmith@local-host Sun Oct 19 2022 14:49:42 -070\0"
7ZTVd7H63VyVqBIqfmEBALVa6VKtALZkydlOiPasikEQfujH07tjW+OffaRufFDG0VQESj
5iGSvMtmBBj8wQxGlvJ/dayVqBvvHzMao8bwGC+HFUtH1un7uyIEwOqU1fNzEpghC97mIx
tIxJA7ZTVd7H63VIqmzlLbp/ZCd6bcJLvZEepMz96nlNB4NJ5UYIfdgXNhf/TrJD8COWQs
t6jsP6RG/WrpHi5iGSvMtmBBj8wQGHddexkRnf/o5YMFJZRo4Iwc7+bgYrIyywBZnfLL7T
RTk9TBfWzgJHy/y1tTtCMvVooWvFZbG5AiV3de63MxBaD0o68SASyXZzVM+MabXhjcdXFY
2vjq2vJxOzunEAAAAVAOTeOzDCnj3K5iGSvMtmBBj8wQGHAAABAA38sGpHEfSxLx5MjQci
dko1pKuV1W9rOK3y19A2J2N6rSdWYb7Zyzw8Gr7kTMWX1TP5WhRGCUhNRYnjI+4wgZIZdC
lfGdp8MGI3HBg9CAr702BOzRTMnW0aqsGjrbhcwhWaDgRymhBh++nGAhHxeWn4ApJ8F6kT
8HaAm3dFYXpHCaZ/xuKPXr4DFugGl8MRDU8TwioNE9kRi0Ko/kB5LTHuGhMPHGshMJeVGi
PQTrt9NAzgYyJeT9RB9VZadgElMvQ9S0+fo6ipOA==
---- END SSH2 PUBLIC KEY ----

4. On the local host, create the ~/.ssh2/identification file

Create the following files on your local host.

[jiyik.com@local-host]$ vim ~/.ssh2/identification
IdKey id_dsa_2048_a

5. On the remote host, convert the SSH2 public key to an OpenSSH public key

This should be OpenSSHdone on a remote host running SSH. Only OpenSSHSSH can convert keys back and forth between SSH OpenSSHand SSH2 formats.

[jiyik.com@remote-host]$ ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > \
~/.ssh/id_dsa_1024_a_openssh.pub

Copy the converted OpenSSHpublic key from ~/.ssh/id_dsa_1024_a_openssh.pub file into the authorized_keys file as shown below.

[jiyik.com@remote-host]$ vi ~/.ssh/authorized_keys
ssh-dss 5iGSvMtmBBj8wQdegAEBALVa6VKtALZkydlOiPasikEQfujH07tjW+OffaRufFD
G0VQESjq+YlVTWcXxStz0xGlvJ/dayVqBvvHzMao8bwGC+HFUtH1un7uyIEwOqU1fNzEpgh
C97s143S8zBcTAGtdegte3IqmlLbp/ZCd6bcJLvZEepMz96nlNB4NJ5UYIfdgXNhf/TrJD8
COWQst6jsP6RG/WrpHiI4QVDM6tZVZ4CnGjm1QPkRnf/o5YMFJZRo4Iwc7+bgYrIyywBZnf
LL7TRTk9TBfWzgJHy/y1tTtCMvVooWvFZbG5AiV3de63MxBaD0o68SASyXZzVM+MabXhjcd
XFY2vjq2vJxOzunEAAAAVAOTeOzDCnj3K5iGSvMtmBBj8wQGHAAABAA38sGpHEfSxLx5MjQ
dFYXpHCaZ/xuKPXr4DFugGl8MRDU8TwioNE9kRi0Ko/kB5LTHuGhMPHGshMJeVGiPQTrt9N
AzgYyJeT9RB9VZadgElMvQ9S0+fo6ipOA==

6. Set appropriate permissions to the .ssh directory on the remote host

On the remote host running openSSH, make sure the following permissions are set. Without this you will run into all sorts of weird issues with ssh.

[jiyik.com@remote-host]$ chmod 755 ~
[jiyik.com@remote-host]$ chmod 755 ~/.ssh
[jiyik.com@remote-host]$ chmod 644 ~/.ssh/authorized_keys

7. Log in to the remote host from the local host using SSH key authentication

Perform an ssh from the local host (SSH2) to the remote host (OpenSSH) as shown below to verify that the key-based authentication is working properly.

[jiyik.com@local-host]$ [You are on local-host here]

[jiyik.com@local-host]$ ssh -l jiyik remote-host
Host key not found from database.
Key fingerprint:
bitaz-navun-gogus-mptop-ljilk-qwlem-ftrtm-llmak-topok-zuiof-bnmix
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
Host key saved to /home/jiyik/.ssh2/hostkeys/key_22_remote-host.pub
host key for remote-host, accepted by jsmith Sun Oct 19 2022 15:06:42 -0700

Passphrase for key "/home/jiyik/.ssh2/id_dsa_2048_a" with comment "2048-bit
dsa, jsmith@local-host, Sun Oct 19 2022 14:49:42 -0700":[Enter password]
Last login: Sun Oct 19 14:01:48 2022 from 192.168.1.10

[jiyik.com@remote-host]$ [You are on remote-host here]

注意: If we get the following error while performing ssh or scp from local host to remote host, refer to How to troubleshoot algorithm negotiation failure on SSH to resolve this issue.

[jiyik.com@local-host]$ ssh -l jsmith remote-host
warning: Authentication failed.
Disconnected; key exchange or algorithm negotiation failed
(Algorithm negotiation failed.)

There are two ways to execute ssh and scp without entering a password:

• No Password : When creating the key pair, leave the password blank. Use this option for automated batch processing. For example, if we are running a cron job to copy files between machines, this is a suitable choice. We can skip the subsequent steps of this method.
• Using a password and SSH agent : If we use ssh and scp interactively from the command line and we don't want to use a password every time we do ssh or scp, I don't recommend the previous option (no password) because we have eliminated one level of security in the ssh key-based authentication. Instead, use a passphrase when creating a key pair and use an SSH agent to perform ssh and scp without having to enter a password every time, as described in the steps below.

8. Start SSH agent on local host

The SSH agent will run in the background to save your private keys and perform ssh and scp without having to enter your password multiple times.

[jiyik.com@local-host]$ ssh-agent $SHELL

9. Load the private key into the SSH agent on the local host

[jiyik.com@local-host]$ ssh-add

Adding identity: /home/jiyik/.ssh2/id_dsa_2048_a.pub
Need passphrase for /home/jiyik/.ssh2/id_dsa_2048_a (2048-bit dsa,
jiyik@local-host, Sun Oct 19 2008 14:49:42 -0700).
Enter passphrase:[Enter your passphrase here]

10. Perform SSH or SCP from local host to remote host without entering password

[jiyik.com@local-host]$ [You are on local-host here]

[jiyik.com@local-host]$ ssh -l jsmith remote-host
Last login: Sun Oct 19 14:20:48 2022 from 192.168.1.10

[jiyik.com@remote-host]$ [You are on remote-host here]