Difference between revisions of "SSH login without passwords"

From assela Pathirana
Jump to navigationJump to search
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Synopsis==
==Synopsis==
Whenever the ssh command is used to login to a remote machine, user needs to provide the remote machines password. While this is an obvious security issue , it soon becomes a headache once you start to login fifty-times a day to the same, known-and-trusted server from your known-and-trusted client! For such situations, the following is a good approach.
{{wbox|;IMPORTANT:
;IMPORTANT:
The method described here has inherant problem of sever being vulnarable if the client is compromised.  There is no line of defence in between. This arises from the fact that we don't enter a pass-phrase when creating the key-pair. To overcome this issue, without going through the trouble of entering a password (or phrase) at every login, use the application known as [[Keychain]].}}
The method described here has inherant problem of sever being vulnarable if the client is compromised. There is no line of defence in between. To overcome this issue the application known as [[Keychain]] can be used.  
Whenever the ssh command is used to login to a remote machine, user needs to provide the remote machines password. While this is an obvious security precaution, it soon becomes a headache once you start to login fifty-times a day to the same, known-and-trusted server from your known-and-trusted client! For such situations, the following is a good approach.


==Howto==
==Howto==
Line 9: Line 9:
client1
client1
server1
server1
</nowiki></pre>respectively and username in the remote machine is <nowiki>
</nowiki></pre>respectively and username in the server (remote machine) is <nowiki>
</nowiki><pre><nowiki>
</nowiki><pre><nowiki>
user1
user1
Line 15: Line 15:
#Create public-private key pair in client1<nowiki>
#Create public-private key pair in client1<nowiki>
</nowiki><pre><nowiki>
</nowiki><pre><nowiki>
$ssh-keygen -t dsa -f ~/.ssh/id_dsa
$ ssh-keygen -t dsa -f ~/.ssh/id_dsa
Generating public/private dsa key pair.
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): (Don't type anything, just press enter here.)
Enter passphrase (empty for no passphrase): (Don't type anything, just press enter here.)
Line 22: Line 22:
</nowiki></pre>
</nowiki></pre>
#Copy public-key to somewhere in server1<nowiki>
#Copy public-key to somewhere in server1<nowiki>
</nowiki><pre><nowiki>scp ~/.ssh/id_dsa.pub user1@client1:~/.ssh/id_dsa.pub</nowiki></pre>
</nowiki><pre><nowiki>$ scp ~/.ssh/id_dsa.pub user1@server1:~/.ssh/id_dsa.pub</nowiki></pre>
#In the server1, append the public-key for client1 to the authorized-keys file<nowiki>
#In the server1, append the public-key for client1 to the authorized-keys file<nowiki>
</nowiki><pre><nowiki>cat ~user1/.ssh/id_dsa.pub >> ~user1/.ssh/authorized_keys2</nowiki></pre>
</nowiki><pre><nowiki>cat ~user1/.ssh/id_dsa.pub >> ~user1/.ssh/authorized_keys2</nowiki></pre>
#Secure the authorized-keys file (otherwise the scheme will not work!) and remove unnecessary files. (in server1) <nowiki>
#Secure the authorized-keys file (otherwise the scheme will not work!) and remove unnecessary files. (in server1) <nowiki>
</nowiki><pre><nowiki>
</nowiki><pre><nowiki>
chmod 640 ~user1/.ssh/authorized_keys2
$ chmod 640 ~user1/.ssh/authorized_keys2
rm ~user1/.ssh/id_dsa.pub
$ rm ~user1/.ssh/id_dsa.pub
</nowiki></pre>.
</nowiki></pre>.



Latest revision as of 17:36, 29 September 2009

Synopsis

Red warning.gif
IMPORTANT

The method described here has inherant problem of sever being vulnarable if the client is compromised. There is no line of defence in between. This arises from the fact that we don't enter a pass-phrase when creating the key-pair. To overcome this issue, without going through the trouble of entering a password (or phrase) at every login, use the application known as Keychain.

Whenever the ssh command is used to login to a remote machine, user needs to provide the remote machines password. While this is an obvious security precaution, it soon becomes a headache once you start to login fifty-times a day to the same, known-and-trusted server from your known-and-trusted client! For such situations, the following is a good approach.

Howto

Note
Let's assume the client and server names are

client1 server1

respectively and username in the server (remote machine) is

user1

.

  1. Create public-private key pair in client1

$ ssh-keygen -t dsa -f ~/.ssh/id_dsa Generating public/private dsa key pair. Enter passphrase (empty for no passphrase): (Don't type anything, just press enter here.) Enter same passphrase again: (Again empty) 52:da:75:66:09:15:5e:cb:6f:a3:xd:39:rd:15:f6:da user@client1

  1. Copy public-key to somewhere in server1
    $ scp ~/.ssh/id_dsa.pub user1@server1:~/.ssh/id_dsa.pub
  2. In the server1, append the public-key for client1 to the authorized-keys file
    cat ~user1/.ssh/id_dsa.pub >> ~user1/.ssh/authorized_keys2
  3. Secure the authorized-keys file (otherwise the scheme will not work!) and remove unnecessary files. (in server1)

$ chmod 640 ~user1/.ssh/authorized_keys2 $ rm ~user1/.ssh/id_dsa.pub .


Now you should be able to login from client1 to user1@server1 without providing password.