Richard's Diary

Saturday, January 24, 2009

SSH Keys with Capistrano With help from
  1. Install capistrano and run "capify ." in your app's root directory
  2. As root on target machine, "useradd admin" and give it with proper sudo priveleges. In keeping with best practices, note that this user does not have a password for login so we will create a set of keys for this purpose
  3. On local machine, preferably .ssh directory, "ssh-keygen -t rsa" to generate a keypair:
    1. giving it not the default name but a modified name so it is clear what user/host it is for.
    2. Do not enter a passphrase since you will have to enter it each time you use the key
    3. remove write permissions from the pair
    4. Push it to remote machine
      scp -i id_rsa-gsg-keypair .ssh/id_rsa-admin.pub root@ec2-75-101-235-73.compute-1.amazonaws.com:/home/admin
  4. As root on remote machine, su to admin:
    1. create ~/.ssh directory. The owner of the directory is admin, not root, but we will need to make sure this directory is only RWX by admin
    2. touch .ssh/authorized_keys so that this file is owned by admin. Again, we will need to ensure that this file is only RWX by admin
    3. exit from the admin user
  5. As root again, cat /home/admin/id_rsa-admin.pub >> .ssh/authorized_keys since this file is only readable by root. Admin user can now read the public key
  6. rm /home/admin/id_rsa-admin.pub to cleanup

  1. you should now be able to
    ssh -i .ssh/id_rsa-admin adminwebuser@ec2-75-101-235-73.compute-1.amazonaws.com
  2. In order for Capistrano to ssh, add to config/deploy.rb
    ssh_options[:keys] = [File.join(ENV["HOME"], ".ssh", "id_rsa-admin")]
    1. Whatever local machine runs capistrano tasks needs to have the private key "~/.ssh/id_rsa-admin"

© 2010 Picky Ricky, Inc. originalblog