...taken from Nella's 2003 March worklog...p.96-97 **********Roger Johnson and scp instead of rcp******************************* 1. generate a public private key on the original host where the program runs as in these steps done on neter (as sirsi in home directory): 3% ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/s/sirsi/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /s/sirsi/.ssh/id_dsa. Your public key has been saved in /s/sirsi/.ssh/id_dsa.pub. The key fingerprint is: 8f:3f:12:55:f8:78:b5:5b:99:50:6c:b0:dd:5c:b1:e8 sirsi@neter.lib.ucalgary.ca 2. NOTE that the new files are put into /s/sirsi/.ssh directory as shown here: 4% cd .ssh 5% ls id_dsa id_dsa.pub prng_seed UCAP7% ls -eat * -rw-------- 1 sirsi sirsi 1024 Jul 12 15:50 prng_seed -rw-r--r--- 1 sirsi sirsi 492 Mar 26 2003 known_hosts -rw-------- 1 sirsi sirsi 668 Mar 26 2003 id_dsa -rw-------- 1 sirsi sirsi 617 Mar 26 2003 id_dsa.pub 3. Now, go to receiving host (as in horus) and in the home directory of the user that logs into the receiving host create directory .ssh (chmod 700 on directory) and get the other host's home/.ssh/id_dsa.pub file and rename it to authorized_keys2 (chmod 600) on it. 19% pwd /sirsi/s/sirsi 20% cd .ssh 21% ls authorized_keys2 Or as seen on my acs4 account: acs4:/u211/ndlall/.ssh--> ls -eat * -rw-------- 1 ndlall libr1 617 Jul 13 08:33 authorized_keys2 Now change your programs to use scp instead of rcp without further ado. You must connect from server running program to new target server once via command line to get prompt to accept the new keys into the known host file before you run the program itself. Do a simple ssh as the proper login etc. Roger did this for histtohorus on seter only. (Roger got info about generating the private public key from Don K.) 4. NOTE: you can have more than one server's id_dsa.pub key in the authorized_keys2 file by either copy and pasting the additional server's id_dsa.pub key information into authorized_keys (making sure the data stays on ONE line per server) or bring the new servers id_dsa.pub key over as a filename like newserverkeys and then do: cat newserverkeys >> authorized_keys2
You must ensure that correct fingerprint from the server you are connecting to is in the /s/sirsi/.ssh/known_host file. You won't know this until you actually try to do sftp and if it complains and hangs up on you. If you KNOW the fingerprint or keys of the server you are trying to connect to have changed, go to the known_host file and remove the line relating to the server you are connecting to. Then do the sftp again and it will give you a prompt to accept the new keys into the known_host file. This will only happen the first time you sftp to the target server. Once the key is in the known_host file, you can sftp without any problems.