Step-by-step setup of ssh

  1. Everyone who will access Lick must have ssh version 1.2.25 (or later) available for use. Familiarity with the man pages for ssh, ssh-keygen, ssh-agent, and ssh-add will prove most helpful.

  2. Everyone who will access Lick should use ssh-keygen to create an RSA key pair.

    I recommend that this key pair be specifically intended for access to Lick, but it is permissible to use the default ssh identity. In either case, we strongly request that the RSA private key for this ssh identity be protected using a passphrase. We have no means of enforcing this request, but we do ask that it be done.

    For the purposes of this document we will presume that the ssh identity has been given the name lickkey. The private key for the identity would thus be named ~/.ssh/lickkey.

  3. Everyone who will access Lick should place their RSA public key into their ~/.ssh/authorized_keys file on machines at Lick.

    In the example above this would mean that the ~/.ssh/lickkey.pub file is sent, perhaps via e-mail, perhaps via scp.

  4. Everyone who will access Lick from a Unix machine running X11 should use ssh-agent. The agent will hold the private RSA key of the ssh identity which corresponds to the public key that was sent to Lick.

    First, ssh-agent must be started. Power users of ssh will already have modified their login or X session startup files to incorporate the agent as a natural part of their daily computing practice. I have some tips on the use of ssh-agent, but see the man page for full details.

    Then ssh-add must be used to authorize the agent to hold the private key for the ssh identity. In this example the command would be

    	ssh-add ~/.ssh/lickkey
    

  5. By default ssh is configured to be wary of connecting to a host which has not previously been contacted. This might prevent first contact with a machine at Lick. The NICS staff should be able to provide a list of public keys for all Lick machines if you feel so paranoid as to want to be absolutely sure there is no man-in-the-middle.
For some applications it is convenient to be able to access machines at Lick securely from a cron job. Follow the link for advice on this.
Back to Steve's ssh page.
Steve Allen <sla@ucolick.org>

1999-05-03