SSH between trusted machines with no passwords

Introduction:

If you ever find yourself ssh-ing over and over into the same machine(s) and getting tired of typing in a password or if you have some automated shell scripts that need to run remote commands and are overly complicated due to Expect you have probably wished you could do away with the password for the account entirely. You know you can’t obviously do this because it would be a HUGE security risk.

What if you could continue to have a password for an account, but when connecting from a trusted client you would not need to enter a password? I know that sounds scary which is why you MUST be sure that the client is secure and you are ok with creating this potential security hole. If you are sure, then read on for how to create SSH keys that do not require password authentication.

Conventions:

Before we get started with this HOWTO, here are some housekeeping items.

• Unix commands are prefixed with a prompt. The prompt contains the hostname followed by a colon followed by the current working directory followed by a dollar sign. For Example:

tuna:~$

• Unix commands are formated in the preformat font. For Example, an ls command on the machine tuna in the user’s home directory would look like this:

tuna:~$ ls

• The output of Unix commands are also in the preformat font
• For this HOWTO the client machine is called “tuna” and the remote host that we want to eliminate having to type a password for ssh authentication is called “shark”

Step 1: Create SSH key

Login to tuna. Using the ssh-keygen command, create an RSA key (stronger encryption than DSA) using the following command

tuna:~$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

Here’s a quick breakdown on what this command is doing:

• The -q option suppresses verbose output
• The argument following the -f option specifies the file that the key will be written to
• The argument following the -t option tells ssh-keygen which type of key to generate.
• And of course for more details RTFM.

This command will prompt you for a passphrase. You can enter one in, but it sorta defeats the purpose of doing this because everytime you login to a machine with the shared key you will be prompted for the passphrase. Might as well not even do this and just stick with the password authentication. This is where you have to really be sure you trust your machines and are ok with having no passphrase/password authentication between your hosts. If you are sure then don’t type in a passphrase and just hit return both times when prompted for it.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Step 2: Copy Public Key to Remote Host

In step 1 you created RSA private and public keys. Do an ls on ~/.ssh directory and you will see these two files:

id_rsa

id_rsa.pub

The id_rsa file contains the RSA Private key and the id_rsa.pub file contains the public key.

You will need to copy the public key to the host you want to connect to without entering a password. In our example that hostname is shark.

tuna:~$ scp ~/.ssh/id_rsa.pub shark:~/.ssh
Step 3: Add Public Key to authorized_keys file on Remote Host
Now that you have copied the public key to shark, you will need to login to shark and add this key to the authorized_keys file.
Step 3.1: Login to Remote Host
tuna:~$ ssh shark
Step 3.2: Append Public Key to authorized_keys file for SSH v2
shark:~$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys2
Step 4: Connect to Remote Host without a password
Now it’s the moment of truth. Logout from shark or open up a new shell. Connect from tuna to shark with ssh.
tuna:~$ ssh shark
You should now be in a shell on shark without having typed in a password! Just remember. Be careful!

			


			
			

				... other posts by fouzi			

		
		
Tags: authorized_keys, public private key, rsa, ssh, ssh-keygen