Tuesday, May 11, 2010

Password-less ssh login

SSH is often used to login without requiring passwords. It requires you generate your own personal set of private/public pair.

RSA security key

Generate personal set of private/public pair (do not use a passphrase): 
user1@deby:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Created directory '/home/user1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
The key fingerprint is:
81:95:1a:bd:32:89:3b:c7:34:da:a2:a0:14:24:26:73 user1@deby
The key's randomart image is:
+--[ RSA 2048]----+
|       ...       |
|+oE   .oo        |
|=o   ..+..       |
| .  . B ..       |
|  .  * +S        |
|..  = +          |
|o. . +           |
|. .              |
|                 |
+-----------------+
Let ssh know your public key (here we are copy public ssh key from the client to remote server): 
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Secure .ssh directory so nobody except you can get access there: 
user1@deby:~$ chmod -R go-rwx .ssh/
user1@deby:~$ ls -la .ssh
total 20
drwx------ 2 user1 user1 4096 2010-06-09 15:33 .
drwxr-xr-x 4 user1 user1 4096 2010-06-09 15:22 ..
-rw------- 1 user1 user1 393  2010-06-09 15:33 authorized_keys
-rw------- 1 user1 user1 1675 2010-06-09 15:22 id_rsa
-rw------- 1 user1 user1 393  2010-06-09 15:22 id_rsa.pub

Troubleshooting ssh localhost login

You might need this while using existing ssh tunneling feature, e.g. svn+ssh access. 
user1@deby:~$ ssh deby
ssh_exchange_identification: Connection closed by remote host
You need to add localhost to /etc/hosts.allow, e.g. 
sshd: localhost
Here is another issue that is related to pam_access module (if it configured to prohibit local logins): 
user1@deby:~$ ssh deby
Connection closed by 127.0.0.1
Here is a rule that prohibit local logins except from localhost (file /etc/security/access.conf): 
# Disallow console logins
- : ALL : LOCAL EXCEPT 127.0.0.1

Windows client

If you are using a windows machine to connect to your remote ssh server with PuTTY you need few extra steps to import private key.
  • You need PuTTYgen. Download it from here.
  • Import the key. Menu Conversions > Import key.
  • Save private key (so PuTTY can understand it): Menu File > Save private key (do not set password).
  • Load previously saved session in PuTTY
  • In Category select Connection > Data, enter your remote username into Auto-login username
  • In Category select Connection > SSH, choose SSH2 as your preferred protocol version
  • In Category select Connection > SSH > Auth, browse the private key that you saved with PuTTYgen previously.
  • Save your session

ssh-copy-id

Mac OS X doesn't come with ssh-copy-id, here is a single line command: 
cat ~/.ssh/id_rsa.pub | ssh user@machine \
  "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"
You can download script here.
Posted by Andriy Kornatskyy at 11:30 PM
Labels: , ,

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )