How Do I Setup SSH Equivalence?

  1. Log in as the user who will be running the Argent Unix Rule Engine

    Note that this user should not be “root“.

  2. Generate public key files. To make your life easier (“good…”), we will generate and use all three key types, taking the default values in all cases and not supplying a passphrase. Note that if the keyfile exists you will be prompted to overwrite it.

    $ ssh-keygen -t rsa1


    Generating public/private rsa1 key pair.

    Enter file in which to save the key (/home/user/.ssh/identity):

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in /home/user/.ssh/identity.

    Your public key has been saved in /home/user/.ssh/identity.pub.

    The key fingerprint is:

    11:44:11:22:22:11:11:11:11:66:34:00:55:44:33:66 user@machine

    $ ssh-keygen -t rsa

    Generating public/private rsa key pair.

    Enter file in which to save the key (/home/user/.ssh/id_rsa):

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in /home/user/.ssh/id_rsa.

    Your public key has been saved in /home/user/.ssh/id_rsa.pub.

    The key fingerprint is:

    11:44:11:22:22:11:11:11:11:66:34:00:55:44:33:66 user@machine

    $ ssh-keygen -t dsa

    Generating public/private dsa key pair.

    Enter file in which to save the key (/home/user/.ssh/id_dsa):

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in /home/user/.ssh/id_dsa.pub.

    Your public key has been saved in /home/user/.ssh/identity.pub.

    The key fingerprint is:

    11:44:11:22:22:11:11:11:11:66:34:00:55:44:33:66 user@machine

  3. Check that each machine can be contacted using ssh

    $ ssh HOSTNAME

    If this is the first time that the user has connected to hostname using ssh, you will see something like the following:


    The authenticity of host ‘hostname (a.b.c.d)’ can’t be established.

    RSA key fingerprint is 44:77:33:66:66:22:22:33:00:33:00:99:77:88:11:44.

    Are you sure you want to continue connecting (yes/no)?

    Respond: yes

    You will see something like this:

    Warning: Permanently added ‘hostname,a.b.c.d’ (RSA) to the list of known hosts.

    You may be prompted for a password:

    Password:

    Enter the required password.

    If don’t see a the hostname of the remote machine, SSH is not configured correctly.

  4. If you were prompted for a password, either user equivalence is not set up, or there is a problem.
  5. Set up user equivalence

    1. Create the $HOME/.ssh directory on the remote machine (may fail if .ssh already exists):

      ssh HOSTNAME “mkdir .ssh”

    2. Set the required permissions on .ssh on the remote machine:

      ssh HOSTNAME “chmod 0700 .ssh”

    3. Copy the public key files to the remote machine:

      scp $HOME/.ssh/*.pub HOSTNAME:.ssh

    4. Add the public key files to $HOME/.ssh/authorized_keys on the remote machine:

      ssh HOSTNAME “cat .ssh/*.pub >> .ssh/authorized_keys”

    5. Set the required permissions on $HOME/.ssh/authorized_keys on the remote machine:

      ssh HOSTNAME “chmod 0600 .ssh/authorized_keys”

    6. Connect to the remote machine.

      ssh HOSTNAME

    7. If you are asked for a password, something is wrong. Read on.

    Troubleshooting SSH Equivalence Problems

    Assuming there are no errors with the public key files or the authorized_keys file, the probable cause is a permissions error:

    Each directory in the path to $HOME. (If $HOME is “/u/users/guardian” then the directories are “/u“, “/u/users“, and “/u/users/guardian“) should have permission no greater than:

    0755 (drwxr-xr-x)

    $HOME/.ssh should have permission:

    0700 (drwx——)

    $HOME/.ssh/authorized_keys should have permission:

    0600 (-rw——-)