On 08/07/12 17:08, Andy Botterill wrote:
> On 07/08/2012 04:30 PM, J G Miller wrote:
>> On Sunday, July 8th, 2012, at 14:51:30h +0100, Andy Botterill declared:
>>
>>> The root login area is read only.
>>
>> To non-root users.
>>
>> So login as root and generate the keys as root.
>>
>> And is it not better (more secure) to use dsa keys?
>>
>> ssh-keygen -t dsa
>
> Using the console plugged into the nasbox (assuming that that is root) I
> cannot write to the local directory.
Which way are you performing the ssh/rsync? That's very important.
In public/private key authentication, the private key is kept by the
client (the end initiating the ssh connection). The public key resides
on the recipient "server". The private key should normally be in the
.ssh directory. The .ssh directory, and the key, must be
readable/writeable only by the owner of the key.
>
> I wrote the key to /tmp/.ssh/ directory.
> I then copied the key into the key place for the root login in the
> freenas gui.
>
Which key did you copy (public/private), and where did you put it?
> After that I get the /root/.ssh/ directory. The known_hosts file is
> different to my desktop. What is it supposed to contain?
A list of known hosts, and their respective keys (not the user ssh keys,
the host keys). ssh requires that the host be identified by a key to
avoid spoofing of host/user. Normally, when you first connect to a
machine ssh, and ssh receives a key it does not have stored, it will
prompt you as to whether you want to accept the key as valid. If you
accept it ssh will store the key in known_hosts. There is also a system
wide file, probably in /etc/ssh/ssh_known_hosts where host keys can be
stored so every user doesn't have to accept keys for well known hosts.
>
> I then copied the key to my desktop in the file /root/.ssh/authorized_key
There should be an "s" on the end of that file. What version of ssh is
FreeNAS using? There's also an authorized_keys2 file which openssh uses
for SSH v2.
>
> So both the nasbox and the desktop have the same key. Is this the right
> way of doing it?
No, the initiating end ("client") should have the private key (and
normally the public key as well). The receiving end ("server") should
ONLY have the public key. The private key on the server would be the
private key of the user on that machine, not the private key of the user
on the client machine. You never, ever, send your private key to any
other machine.
So, which file goes where depends on whether you want to initiate the
rsync on the NAS or the desktop, and what user accounts you want to use
at either end.
The normal ssh public/private key setup is as follows.
On the client (the end which initiates the connection, and requires
authentication on the server) run ssh-keygen to create a public/private
key pair. Don't enter a password when prompted, or you'll have to enter
this password to decrypt the private key when you use it (unless you
setup some kind of key escrow agent such as ssh-agent). The keys will
be, by default, written in the user's .ssh directory unless you specify
an alternate output file on the ssh-keygen command.
The account which is used to initiate the connection requires the
private key (id_rsa or id_dsa) in its .ssh directory. The account which
is accepting the connection on the remote end requires the public key in
its .ssh/authorized_keys file. On both sides the .ssh directory, and the
files within it, must only be readable or writeable by the account
holder. Copy the PRIVATE key to the .ssh folder of the account which
will initiate the remote connection. If you created the keys as that
user, with the default output, then it will already be there.
Copy the PUBLIC key to the remote user account, preferably to some
location other than .ssh (you can delete this file when it's been added
to the authorized keys file). Append the contents of the public key to
the .ssh authorized keys file. Depending on the type/version of ssh on
the server this file is variously known as authorirized_keys (SSH-1,
OpenSSH), authorized_keys2 (OpenSSH using SSH v2) or in the unlikely
event that the server is using SSH2 then .ssh2/authorization. The same
permission restriction applies to this file/folder as on the server. The
.ssh/ssh2 directory and authorized keys file must be owned by, and only
readable/writeable, by the owner.
If you want to perform an authenticated rsync, as root, from the NAS box
to your desktop, then the root account on the NAS box requires the
private key file in root's .ssh directory. FreeNAS uses a ram disk, so
you can't just put files in root's home directory or they won't be there
next time you re-boot. That's why you have to add the key using the GUI.
The remote account on your desktop requires the public key in its
.ssh/authorized_keys file.
--
Nigel Wade