Setting Up OpenSSH the First Time

Install OpenSSH on both machines. sshd, the ssh daemon, must be running on the remote host, so that it can receive connections. Copy the remote host’s public key to the local machine’s ~/.ssh/known_hosts file, and you’re in business.

Starting and stopping sshd on most rpm-based systems is done like this:

# /etc/init.d/sshd start
# /etc/init.d/sshd stop

On Debian, it’s slightly different:

# /etc/init.d/ssh start
# /etc/init.d/ssh stop

Always check your init filenames, as they vary on different distributions.

Copying the remote host’s public key to your local ~/.ssh/known_hosts file is as simple as connecting to the remote host:

carla@windbag carla$ ssh stinkpad
The authenticity of host ‘stinkpad (192.168.1.100)’ can’t be established.
RSA key fingerprint is a2:c6:70:3e:73:00:b3:ed:90:b1:9a:bc:e7:d5:32:ba.
Are you sure you want to continue connecting (yes/no)?

Type yes, and it will respond:

Warning: Permanently added ‘stinkpad,192.168.1.100’ (RSA) to the list of known hosts.
carla@stinkpad’s password:
Linux stinkpad 2.4.21 #1 Sun Aug 3 20:15:59 PDT 2003 i686 GNU/Linux
Libranet GNU/Linux
Last login: Sat June 3 22:16:24 2004 from :0.0
carla@stinkpad:~$

Using the simple ssh login connects you to another host on your LAN, using the same login. You can connect as a different user with the -l flag:

carla@windbag ~$ ssh -l wilmaf stinkpad

To make an SSH connection over the Internet, you must use the full domain name:

carla@windbag ~$ ssh stinkpad.test.net

Making that initial connection, and copying the host’s RSA key, is the riskiest part of setting up SSH. If an intruder managed to compromise your nameserver, she could possibly hijack your SSH session and capture your login. It’s a pretty small risk, though, and you can verify the IP address before logging in the first time. To close off this hole, you can manually copy the host’s public key to your local ~/.ssh/known_hosts file first. You must edit it slightly; see the examples below.

Host keys are stored in /etc/ssh. These are used to validate the identity of the remote host. This is all you need to allow users to access this machine. All they need is a copy of the public host key in their ~/.ssh/known_hosts files and an account to log into. Some Linux distributions create two key pairs when you install OpenSSH—one RSA key pair and one DSA key pair:

$ ls /etc/ssh
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub