Thursday, November 29, 2007

Passwordless Login For SSH

I've recently set-up a new backup server, I wanted to be able to automate backups from my workstations to the server. I will be using OpenSSH (scp) as the transfer agent between the workstations and the server. By default the OpenSSH server asks for a password every time you login, therefore automation is impossible, without a bit of tweaking.

Creating an environment where passwords are unnecessary can be achieved using public-key cryptography. In this process we create unique identification between workstation (or other system) and server. The server can then recognise the user using a private/public key pair.

There are a number of steps that need to be completed, on both workstation and server, to achieve password-less logins. I have written the required server commands within the `ssh' command, to simplify the process. You will need to have a working OpenSSH server, and user login before beginning.

1. On the Workstation
On the workstation I login as the user who needs the ssh access to the server (this is really important as we are creating a key for this user.) If more than one user needs access, you will need to create keys for each user and system.

If no .ssh directory exists in users home you'll need to create one:
# mkdir ~/.ssh
# chmod 700 ~/.ssh
Now change directory into .ssh and create your ssh key (If you would like to use dsa encryption instead of rsa please use `ssh-keygen -t dsa' in the ssh-keygen command).
This text
, is used to represent your user input:
# cd ~/.ssh
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa): Press [Enter]
Enter passphrase (empty for no passphrase): Press [Enter]
Enter same passphrase again: Press [Enter]
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
f3:12:g5:23:1f:b2:f7:a0:65:b1:89:72:82:f2:23:g0 username@ssh.server.tld

*Note: If you decide to use a passphrase when creating your ssh key then you will be prompted to enter your passphrase every time you login, unless you use ssh-agent. For more information please see: ssh-agent(1), http://upc.lbl.gov/docs/user/sshagent.html

2. On the server
Now we need to go to the server and prepare the environment for ssh-keys. You will need to login to the server as the user who needs the ssh access. E.g. If I login as the user kris on my workstation I need to be user kris on the server, as well (If you have a different user names on the server and workstation please see note A at the bottom of the post.)
We are going to use one command string to complete all of the jobs on the server, before being prompted for a password:
# ssh username@ssh.server.tld \
'mkdir ~/.ssh; \
chmod 0700 ~/.ssh'
Password: * * * * * *

3. On the Workstation
Now we need to copy the .pub key from our workstation to the server.
# scp ~/.ssh/id_rsa.pub username@ssh.server.tld:.ssh/MY_keys
Password: * * * * * *
id_rsa.pub 100% 397 0.4KB/s 00:00
# ssh-add
Identity added: /home/kris/.ssh/id_rsa (/home/kris/.ssh/id_rsa)

4. On the server
Now we just need to verify the file copied over, and then put it's contents in the .ssh/authorized_keys file:
# ssh username@ssh.server.tld \
'cat ~/.ssh/MY_keys >> ~/.ssh/authorized_keys; \
chmod 600 ~/.ssh/authorized_keys; \
ls ~/.ssh/'
Password: * * * * * *
My_keys authorized_keys

5. On the Workstation
Now if you go back to your workstation you should be able to login to the server without typing your password:
# ssh username@ssh.server.tldor# ssh ssh.server.tld
Notes:
Note A. If you have differing user names on the server and workstation there is an easy solution:
After creating your ssh-key (# ssh-keygen -t rsa), edit the resulting id_rsa.pub (or id_dsa.pub) file and change the user name to the user name on the server.
E.g. If I have a user kris on my workstation and a user sirk on my server I would edit the id_rsa.pub file on the workstation from this:
ssh-rsa Asdasdasdc9asdaDp5Lq8+SMdZRPzgjr65i4684xbmtrZKMQ== kris@workstation.domain.tldto this:ssh-rsa Asdasdasdc9asdaDp5Lq8+SMdZRPzgjr65i4684xbmtrZKMQ== sirk@workstation.domain.tld
Note B. If you do not have a fully qualified domain name or an /etc/hosts file detailing your workstations, and servers IP addresses, you may also need to change the domain name used in your id_rsa.pub file to a IP address.
E.g. from this:
ssh-rsa Asdasdasdc9asdaDp5Lq8+SMdZRPzgjr65i4684xbmtrZKMQ== kris@workstation.domain.tldto this:ssh-rsa Asdasdasdc9asdaDp5Lq8+SMdZRPzgjr65i4684xbmtrZKMQ== kris@192.168.0.3
Note C. If you had another server running the OpenSSH server and you wanted to login from the same workstation using the new key, just copy your id_rsa.pub (or id_dsa.pub) to each server, like in the example above, making sure to copy the contents of MY_keys to ~/.ssh/authorized_keys.

3 comments:

Kevin M. Mullins said...

Nice Post Kris.

This can really help folks with remote support and large environments.

Kris said...

Thanks Kevin!
This kind of set-up can certainly make a huge difference in many network configurations.
Also this method is way more secure than usernames and passwords.
I'm glad that you found my post useful cheers Kevin :-)

Suresh M said...

Hi Krish..that was good info for me. But the different user in workstation and server scenario is still not working..it still asking for password. I tried a lot of options without any success..any idea..