You want to know how to set up OpenSSH to log in to a remote host, using the simplest method that it supports.
Using host-key authentication is the simplest way to set up remote SSH access. You need:
OpenSSH installed on the machine you want to log into remotely
The SSH daemon to be running on the remote server, and port 22 not blocked
SSH client software on the remote client
A Linux login account on the remote server
To distribute the public host key to the clients
Your OpenSSH installer should have already created the host keys. If it didn't, see the next recipe.
First, protect your private host key from accidental overwrites:
# chmod 400 /etc/ssh/ssh_host_rsa_keyNext, the public host key must be distributed to the clients. One way is to log in from the client, and let OpenSSH transfer the key:
foober@gouda:~$ ssh reggiano
The authenticity of host 'reggiano (192.168.1.10)' can't be established.
RSA key fingerprint is 26:f6:5b:24:49:e6:71:6f:12:76:1c:2b:a5:ee:fe:fe
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added 'reggiano 192.168.1.10' (RSA) to the list of known hosts.
foober@reggiano's password:
Linux reggiano 2.6.15 #1 Sun June 10 11:03:21 PDT 2007 i686 GNU/Linux
Debian GNU/Linux
Last login: S Sun June 10 03:11:49 PDT 2007 from :0.0
foober@reggiano:~$Now, Foober can work on Reggiano just as if he were physically sitting at the machine, and all traffic—including the initial login—is encrypted.
The host key exchange happens only once, the first time you log in. You should never be asked again unless the key is replaced with a new one, or you change your personal ~/.ssh/known_hosts file.
The public host key is stored in the ~/.ssh/known_hosts file on the client PC. This file can contain any number of host keys.
It is a bad idea to log in as root over SSH; it is better to log in as an ordinary user, then su or sudo as you need after login. You can log in as any user that has an account on the remote machine with the -l (login) switch:
foober@gouda:~$ ssh -l deann reggianoOr, like this:
foober@gouda:~$ ssh deann@reggianoDon't get too worked up over client and server—the server is whatever machine you are logging in to, and the client is wherever you are logging in from. The SSH daemon does not need to be running on the client.
There is a small risk that the host key transmission could be intercepted and a forged key substituted, which would allow an attacker access to your systems. You should verify the IP address and public key fingerprint before typing "yes." Primitive methods of verification, like writing down the fingerprint on a piece of paper, or verifying it via telephone, are effective and immune to computer network exploits.
For the extremely cautious, manually copying keys is also an option; see Recipe 7.4.
Chapter 17, "Remote Access," in Linux Cookbook by Carla Schroder (O'Reilly)
man 1 ssh
man 1 ssh-keygen
man 8 sshd