SSH: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
To ssh ignoring 'Offending key in /site/etc/ssh_known_hosts' do following: | |||
ssh -o UserKnownHostsFile=/dev/null <hostname> | |||
First, enable X11 forwarding: uncommented and properly set 2 following lines in ''/etc/ssh/ssh_config'' file: | First, enable X11 forwarding: uncommented and properly set 2 following lines in ''/etc/ssh/ssh_config'' file: | ||
Line 10: | Line 15: | ||
PermitUserEnvironment yes | PermitUserEnvironment yes | ||
2 | 2. Create ''/etc/ssh/sshrc'' with following contents: | ||
HOME=/tmp | HOME=/tmp | ||
Line 35: | Line 35: | ||
(on RHEL4 ''xauth'' is located at ''/usr/X11R6/bin/xauth'', on RHEL5 at ''/usr/bin'', adjust script accordingly) | (on RHEL4 ''xauth'' is located at ''/usr/X11R6/bin/xauth'', on RHEL5 at ''/usr/bin'', adjust script accordingly) | ||
3. Add two lines in ''/etc/profile'': | |||
XAUTHORITY=/tmp/.Xauthority. | XAUTHORITY=/tmp/.Xauthority.$LOGNAME | ||
export XAUTHORITY | |||
4. NOTIFY ALL USERS TO HAVE THAT FILE WITH CORRESPONDING CONTENTS IN THEIR ''$HOME/.ssh'' directories. You can do it for example by placing following into ''/etc/.login'' (on linux you can use ''/etc/csh.login''): | |||
if (! -e ~/.ssh/environment ) then | if (! -e ~/.ssh/environment ) then | ||
Line 48: | Line 49: | ||
echo "" | echo "" | ||
endif | endif | ||
5. Create ''/root/.ssh/environment'' file with following contents: | |||
XAUTHORITY=/tmp/.Xauthority.root | |||
Line 56: | Line 61: | ||
(on Linux ''/etc/init.d/sshd restart'') | (on Linux ''/etc/init.d/sshd restart'') | ||
7. If need to make ssh without password between different clon machines for some user, login as that user and do following: | 7. If need to make ssh without password between different clon machines for some user, login as that user and do following (chmod commands are important !): | ||
mkdir .ssh | |||
chmod 700 .ssh | |||
cd .ssh | cd .ssh | ||
ssh-keygen -t rsa | ssh-keygen -t rsa | ||
<hit return | <hit return 3 times> | ||
cp id_rsa.pub authorized_keys | #cp id_rsa.pub authorized_keys | ||
ssh-copy-id <machine_name_you_are_in> | |||
chmod 600 * | |||
After that for this user all machines with the same home directory have to be accessible without typing password. If machine has different home directory, copy contents of the 'id_rsa.pub' into remote machine 'authorized_keys' file. | |||
8. Tunneling: for example to tunnel from home to clontrig0 for vnc (port 5902) do following: | |||
ssh -L 5902:localhost:4321 login1.jlab.org | |||
and then from the same window: | |||
ssh -L 4321:localhost:5902 clontrig0 | |||
Now if VNCVIEWER on home machine connect to localhost:5902, it will actually connect to clontrig0:5902. |
Latest revision as of 15:55, 1 July 2019
To ssh ignoring 'Offending key in /site/etc/ssh_known_hosts' do following:
ssh -o UserKnownHostsFile=/dev/null <hostname>
First, enable X11 forwarding: uncommented and properly set 2 following lines in /etc/ssh/ssh_config file:
Host * ForwardX11 yes
Normally ssh creates .Xauthority file in $HOME directory. If $HOME directory is on file server and shared between different machines, it can be a conflict. It is recommended in that case to tell ssh to place .Xauthority file somewhere else, for example in /tmp directory which is usually local. Do following:
1. Uncomment or add following line in /etc/ssh/sshd_config (it will force execution of /etc/ssh/sshrc script which we'll create below; also every user's $HOME/.ssh/environment file will be processed):
PermitUserEnvironment yes
2. Create /etc/ssh/sshrc with following contents:
HOME=/tmp XAUTHORITY=$HOME/.Xauthority.$USER export XAUTHORITY if read proto cookie && [ -n "$DISPLAY" ] then if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ] then # X11UseLocalhost=yes echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie else # X11UseLocalhost=no echo add $DISPLAY $proto $cookie fi | /usr/openwin/bin/xauth -q - fi
(on RHEL4 xauth is located at /usr/X11R6/bin/xauth, on RHEL5 at /usr/bin, adjust script accordingly)
3. Add two lines in /etc/profile:
XAUTHORITY=/tmp/.Xauthority.$LOGNAME export XAUTHORITY
4. NOTIFY ALL USERS TO HAVE THAT FILE WITH CORRESPONDING CONTENTS IN THEIR $HOME/.ssh directories. You can do it for example by placing following into /etc/.login (on linux you can use /etc/csh.login):
if (! -e ~/.ssh/environment ) then echo "" echo "===== ERROR: create file '~/.ssh/environment' containing following line:" echo "===== XAUTHORITY=/tmp/.Xauthority.$LOGNAME" echo "===== OTHERWISE SSH/X11 MAY NOT WORK PROPERLY" echo "" endif
5. Create /root/.ssh/environment file with following contents:
XAUTHORITY=/tmp/.Xauthority.root
6. Restart ssh service by
svcadm restart network/ssh
(on Linux /etc/init.d/sshd restart)
7. If need to make ssh without password between different clon machines for some user, login as that user and do following (chmod commands are important !):
mkdir .ssh chmod 700 .ssh cd .ssh ssh-keygen -t rsa <hit return 3 times> #cp id_rsa.pub authorized_keys ssh-copy-id <machine_name_you_are_in> chmod 600 *
After that for this user all machines with the same home directory have to be accessible without typing password. If machine has different home directory, copy contents of the 'id_rsa.pub' into remote machine 'authorized_keys' file.
8. Tunneling: for example to tunnel from home to clontrig0 for vnc (port 5902) do following:
ssh -L 5902:localhost:4321 login1.jlab.org
and then from the same window:
ssh -L 4321:localhost:5902 clontrig0
Now if VNCVIEWER on home machine connect to localhost:5902, it will actually connect to clontrig0:5902.