Red Hat Enterprise Linux 5 Administration Unleashed

362CHAPTER 17Securing Remote Logins with OpenSSHPassphrases are unique per user and must be created by each user while logged in withthe corresponding username. Red Hat Enterprise Linux 5 uses SSH Protocol 2 and RSAkeys by default. To generate an RSA key pair for SSH version 2, use the followingcommand:ssh-keygen -t rsaAs demonstrated in Listing 17.4, press Enter to accept the default location of$HOME/.ssh/id_rsa after the key pair is generated. When prompted for a passphrase, typea passphrase to use and type it again to confirm. The passphrase should be different fromthe user’s password and should contain a combination of numbers and letters to make itmore secure. Remember it can contain spaces and tabs. The RSA public key is then writtento $HOME/.ssh/id_rsa.pub while the private key is written to $HOME/.ssh/id_rsa.LISTING 17.4Generating a PassphraseGenerating public/private rsa key pair.Enter file in which to save the key (/home/tfox/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/tfox/.ssh/id_rsa.Your public key has been saved in /home/tfox/.ssh/id_rsa.pub.The key fingerprint is:ed:09:c2:a8:31:1f:11:85:0a:5e:c0:ab:16:b6:f1:98 tfox@rhel5CAUTIONThe private key file should never be accessible by anyone other than the user whocreated it. It is created with read-write file permissions for the user only. These permissionsshould not be altered.After successfully generating the key pair, copy the contents of the public key file$HOME/.ssh/id_rsa.pub to $HOME/.ssh/authorized_keys on all the systems you want toconnect to with the SSH tools. If the authorized_keys file already exists, append it withthe contents of $HOME/.ssh/id_rsa.pub. If the .ssh/ directory does not exist in yourhome directory on the remote systems, it must be created so that only you, the owner,can access it. To change the permissions for it, execute the command chmod 0700$HOME/.ssh on the remote system. The $HOME/.ssh/authorized_keys file on each remotesystem must have the same permissions as the $HOME/.ssh/id_rsa.pub file created byssh-keygen. Change its permissions with the chmod 644 $HOME/.ssh/authorized_keyscommand on each remote system to which you will be connecting.After creating an RSA key pair and distributing the public key to the remote systems,when the ssh command is executed, the user will be prompted for thepassphrase used to create the key pair instead of being prompted for a password forauthentication.