Sunday, 28 July 2013

SSH Keys SETUP -Password Less Authemtication

Getting Started

  1. First, install OpenSSH and OpenSSL on two UNIX machines, umserv1 and umserv2. This works best using DSA keys and SSH2 by default as far as I can tell. All the other HOWTOs I've seen seem to deal with RSA keys and SSH1, and the instructions not surprisingly fail to work with SSH2.
  2. On each server type ssh somemachine.example.com and make a connection with your regular password. This will create a .ssh dir in your home directory with the proper perms.
  3. On your primary machine where you want your secret keys to live (let's say umserv1), type
    ssh-keygen -t dsa
    This will prompt you for a secret passphrase. If this is your primary identity key, make sure to use a good passphrase. If this works right you will get two files called id_dsa and id_dsa.pub in your .ssh dir. Note: it is possible to just press the enter key when prompted for a passphrase, which will make a key with no passphrase. This is a Bad Idea ™ for an identity key, so don't do it! See below for uses of keys without passphrases.
  4. scp ~/.ssh/id_dsa.pub umserv1:.ssh/authorized_keys2
    Copy the id_dsa.pub file to the other host's .ssh dir with the name authorized_keys2.
  5. Now umserv2 is ready to accept your ssh key. How to tell it which keys to use? The ssh-add command will do it. For a test, type
    ssh-agent sh -c 'ssh-add < /dev/null && bash'
    This will start the ssh-agent, add your default identity(prompting you for your passphrase), and spawn a bash shell. From this new shell you should be able to:
  6. ssh umserv2 from umserv1
    This should let you in without typing a password or passphrase. Hooray! You can ssh and scp all you want from this bash shell and not have to type any password or passphrase.

Using X Windows

Now this is all well and good, but who wants to run their whole life from a single bash instance? If you use an X window system, you can type your passphrase once when you fire up X and all sub processes will have your keys stored.
  1. In the ~/.xinitrc file, modify your line which spawns windowmaker to read:
    exec ssh-agent sh -c 'ssh-add </dev/null && exec /usr/local/bin/wmaker'
    This will prompt you for your passphrase when you start up X, and then not again. All shells you spawn from X will have your keys stored.
  2. This brings up a security issue- if someone comes upon your X session, they can spawn ssh sessions to  umserv2 and other hosts where you have put your id_dsa.pub information into the authorized_keys2file. A locking screensaver like xlock is vital.

Different usernames

By default ssh assumes the same username on the remote machine. If you have a different username on the other machine, follow the normal ssh procedure:
[sony@umserv1/]$ ssh –l gony umserv2

0 blogger-disqus:

Post a comment