Copy the resultant public file, which contains the local computer’s public key to the user’s home folder in .ssh/ on the remote computer. The next time you log in to the remote computer from the local computer you won’t need to enter a password.

Note: If you are using an Open Directory user account and have already logged in using the account, you do not have to supply a pasword for SSH login. On Mac OS X Server computers, SSH uses Kerberos for single sign-on authentication with any user account that has an Open Directory password (Kerberos must be running on the Open Directory server). See the Open Directory administration guide for more information.

Updating SSH Key Fingerprints

The first time you connect to a remote computer using SSH, the local computer prompts for permission to add the remote computer’s fingerprint (or encrypted public key) to a list of known remote computers. You might see a message like this:

The authenticity of host "server1.example.com" can’t be established.

RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7.

Are you sure you want to continue connecting (yes/no)?

The first time you connect, you have no way of knowing whether this is the correct host key. Most people respond “yes.” The host key is then inserted into the ~/.ssh/ known_hosts file so it can be compared against in later sessions. Be sure this is the correct key before accepting it. If at all possible, provide your users with the encryption key either through FTP, email, or a download from the web, so they can be sure of the identity of the server.

If you later see a warning message about a man-in-the-middle attack when you try to connect, it might be because the key on the remote computer no longer matches the key stored on the local computer. This can happen if you:

ÂChange your SSH configuration on either the local or remote computer.

ÂPerform a clean installation of the server software on the computer you are attempting to log in to using SSH.

ÂStart up from a Mac OS X Server CD on the computer you are attempting to log in to using SSH.

ÂAre attempting to SSH in to a computer that has the same IP address as a computer that you previously used SSH with on another network.

To connect again, delete the entries corresponding to the remote computer (which can be stored by both name and IP address) in the file ~/.ssh/known_hosts.

Chapter 2 Connecting to Remote Computers

33

Page 33
Image 33
Apple Mac OS X Server manual Updating SSH Key Fingerprints