Bank Focus : Diary(Blog) / Linux / SECURITY SSH without a password

This is my blog. You can leave comments to records.

Interesting websites

Visitors

Calendar

<	December 2009					>
M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Other sites

ssj4crono j k
lukutus Lukutus von Borg
grunchbork grunch bork
nceylanli Süleyman Nuray Ceylanli
nikkap N K

Random entries

Venda Instmaint command
SECURITY SSH without a pa...
SECURITY Limit User Proce...
Article Import

Bank Focus / Diary(Blog) / Linux / SECURITY SSH without a password

Posted by

Text

bank

Zyber Ryu

SECURITY SSH without a password
1413 days ago 24.01.2006 08:29:47

Quote('8974','8974','5','5')">Report spam

{{SECURITY Index}} The following instructions describe how to setup your SSH server to accept password free logins.

Client setup

As there exists two version of the SSH protocol, version 1 and 2, the identities are tied to the protocol version. Most SSH-servers use version 2 of the protocol due to the limitations of version 1.

List over protocols and their identity types:

Protocol	Type	Commandline
Version 1	RSA1	-t rsa1
Version 2	RSA	-t rsa
Version 2	DSA	-t dsa

After determining which identity type you want it is time to create your private and public ssh keys (in the article we use DSA encryption), on the client machine type:

$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/gerard/.ssh/id_dsa):

The default location is fine, so just press

Enter passphrase (empty for no passphrase): Press again for an empty passphrase, at least if you do not want to be bothered for a password. One could set up an ssh-agent to handle the passphrases, although this document does not handle such a process.
Enter same passphrase again: Press again
key fingerprint is: 6f:c5:86:c7:67:69:02:1a:e4:a9:20:e6:16:13:5d:e5 username@host

That process created two files in {{Filename|~/.ssh}}:

{{Box File|Contents of ~/.ssh| -rw------- 1 bob users 668 Jun 17 23:52 id_dsa
-rw-r--r-- 1 bob users 602 Jun 17 23:52 id_dsa.pub
}}

Server setup

The file named {{Filename|id_dsa.pub}} is your public key, which you should copy to the server (here referred to as remotebox). The file should be appended to a file named {{Filename|~/.ssh/authorized_keys}} on the server.

Copy the {{Filename|id_dsa.pub}} file to the remote system:

$ cd ~/.ssh $ scp id_dsa.pub username@remotebox:

Enter your password to transfer the file, so that we can setup the {{Filename|authorized_keys}} file later.

$ ssh -l username remotebox Password: Last login: Mon Jun 14 09:53:58 2004 $

Append the {{Filename|id_dsa.pub}} to {{Filename|~/.ssh/authorized_keys}}, taking care to restrict permissions:

$ mkdir -p .ssh $ chmod 700 .ssh $ cat id_dsa.pub >> .ssh/authorized_keys $ chmod 600 .ssh/authorized_keys

Then delete the {{Filename|id_dsa.pub}} file, and log out:

$ rm id_dsa.pub $ exit

Or simply run this magical command: cat ~/.ssh/id_dsa.pub | ssh user@remotebox "(mkdir .ssh&>/dev/null; chmod 700 .ssh && cat - >> .ssh/authorized_keys )&&chmod 600 .ssh/authorized_keys"

Client & Server Setup (Alternative with ssh-installkeys)

This part describes how to use the ssh-installkeys tool. It will do the steps explained above automatically.

First install ssh-installkeys:

$ echo "net-misc/ssh-installkeys" >> /etc/portage/package.keywords $ emerge -av net-misc/ssh-installkeys

And run it:

$ ssh-installkeys username@remotebox

ssh-installkeys will do all needed task to setup the local keyfiles and the remote login, which includes:

creating a keypair on the local system (if there is none)
logging into the remote system (the password is needed)
adding the publickey to the remote system's {{Filename|~/.ssh/authorized_keys}}
checking and adjusting the security settings of the local and remote ssh files.

Testing

$ ssh -l username remotebox Last login: Thu Jun 17 23:55:36 2004 from 192.168.34.2 $

If the system did not query you for a password everything is working properly. If it did not work check your {{Filename|sshd_config}} file. The following options should be set: {{Box File|/etc/ssh/sshd_config| # Allow Identity Auth for SSH1? RSAAuthentication yes

# Allow Identity Auth for SSH2? PubkeyAuthentication yes }} Now repeat the Server-part for every server you want to be able to login into without specifying the password.

You can add the following line to your ~/.bashrc to be able to have root access to your box without having to give your root password. {{Box File |~/.bashrc|

alias root="ssh -l root 127.0.0.1"

}} Be carefull with this, cause anyone with access to your box will be able to issue this command!

Warning

Make sure that you keep your private key (~/.ssh/id_dsa) secret! While it is safe to give your public key (~/.ssh/id_dsa.pub) to anybody, you should be extremely careful that nobody else can read your private key (~/.ssh/id_dsa)! Everybody who has access to the private key can log in to any machine where the matching public key is installed, so guard it jealously! You have been warned :)

Internal links

External links

[http://www.stearns.org/ssh-keyinstall/ ssh-keyinstall]
[http://www.gentoo.org/proj/en/keychain.xml Keychain]
[http://www.puffy.nu/~davos/code/unix/ssh_auth ssh_auth] - Small script to setup RSA-identities

Comments: 0 Views: 32

Who is active on the site?

Anonymous: 5 Registered: 0 (?)