Introduction: Linux Setup for SSH Password Less Login.
There was traditionally two kinds of authentication. RSA and DSA. RSA should not be used any more. Public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines.
Note: you will need to be able to use the command line/terminal for this project.
Note: For both the server and the client port 22 should be changed to some number above 1024 that is an unused port. Both numbers must be the same unless you are an advanced user, Other settings should be changed as well. (i.e. disable root access)
$ sudo vim /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
The nmap command is a good way remotely to determine what ports are being used. You may like this instructable also: https://www.instructables.com/id/Linux-screen-play/
Step 1: What Do You Need?
#1 machine : Client machine with ssh installed
$ sudo apt-get update
$ sudo apt-get install ssh
#2 machine : A remote server with ssh and openssh-server
$ sudo apt-get update
$ sudo apt-get install ssh openssh-server
Note: I usually add openssh-server to all machines except those I do not want there to be ssh access.
Step 2: Settin Up the Keys.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/usernane/.ssh/id_dsa): Press [Enter] key Enter passphrase (empty for no passphrase): myPassword Enter same passphrase again: myPassword Your identification has been saved in /home/username/.ssh/id_dsa. Your public key has been saved in /home/username/.ssh/id_dsa.pub. The key fingerprint is: 04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 username@username-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step 3: Directory Set Up and Key Copy to Server.
Next make sure you have correct permission on .ssh directory:$ cd
$ chmod 700 .ssh
Update note: Must have been thinking about wev serverdirectory permissions 755 s/b 700.t
Typically you want the .ssh directory permissions to be 700 (drwx------) and the public key (.pub file) to be 644 (-rw-r--r--). Your private key (id_rsa) should be 600 (-rw-------). |
Copy public key.
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server as ~/.ssh/authorized_keys. The command scp is an ssh based network file copy command and it will copy your public key file in this step. (you will be asked your your password on the server to log in.$ scp ~/.ssh/id_dsa.pub user@server:.ssh/authorized_keys
Note: You can get to the calculator from here:
http://www.onlineconversion.com/html_chmod_calculator.htm
Step 4: Server Side.
What you just did frim the client machine.
$ scp ~/.ssh/id_dsa.pub user@bennjerrys:.ssh/authorized_keys
Warning: If you already have an
authorized_keys file this will write over it.
(safer way)From client machine
$ scp ~/.ssh/id_dsa.pub user@bennjerrys:.
Server side.
$ cat
id_dsa.pub >>
.ssh/authorized_keys
Change permissions so only you can see and access it.
$ chmod 600 ~/.ssh/authorized_keys
Note: An
authorized_key
file (no "s" at the end) is for the old rsa keys.Step 5: Back to the Client.
Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Step 6: Loggin In.
$ ssh user@servername
or
$ ssh user@remote-server.com
or
$ scp file user@servername:/tmp
Now if you try to logon in from the client to get to a share, you should not get a second password window.
Tada!!
Step 7: Advanced.
[code]
#!/bin/bash # ## USAGE: add_to_server.sh remote_server # ## This script will add your ssh dsa public key to remote_server's authorized_keys list, ## assuming that everything is in it's default location # set -v # verbose output username="USERNAME" # CHANGE ME!!!! remote_server=$1 # assigns the first commandline argument to $remote_server # # ## Pipe the public key to ssh, then remotely touch the file to make sure it will be there, and concat to the end of it. ## Might work without the touch? cat ~/.ssh/id_dsa.pub | ssh ${username}@${remote_server} "touch ~/.ssh/authorized_keys && cat - >> ~/.ssh/authorized_keys" # exit 0 [/code]
Step 8:
One of the things most people hate to do is to type in passwords. Not only could someone be looking over your shoulder, but also the password gets sent where it can be easily monitored. There has to be a better way. A method very much used on 'nix systems (including OS/X) is called the 'secure shell' (ssh for short). You can actually use it on Microsoft systems also, but it requires more than usual extra setup.
$ ssh typo1
password: _
Anyway, if you are setting up a new system and or recovering from a hard disk crash, setting up the ssh keys to all the servers or systems you log into can be a lot of fun. There had to be a way of automating this process. The process is usually just three steps. Copy your key to the new server, adding the key to the authorized_key files, and then lastly removing the copied key if need be. So let's make a batch file to take care of this.
Installkey.sh
[code]
# invoke with ./Installkey.sh servername
# copy the key
scp .ssh/id_dsa.pub $1:~/.
# install the key
ssh $1 'cat id_dsa.pub >> .ssh/authorized_keys'
# remove the public key you just copied
ssh $1 'rm ~/id_dsa.pub'
[/code]
Save it to an ascii file.
Enable the shell file
$ chmod +x Installkey.sh
Run the code:
$ ./Installkey.sh typo1
Now you should be able to log into the server without typing a password.
$ ssh typo1
Linux typo1 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Debian comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
/)
o /' )
/' ( ,.
__/' ) .' `;
o _.-~~~~' ``---..__ .' ;
_.--' b) ``--...____.' .'
( _. )). `-._ <
`\|\|\|\|)-.....___.- `-. __...--'-.'.
`---......____...---`.___.'----... .' `.;
`-` `
This machine is for the exclusive use of OE.
Anyone attempting to gain, or gaining access other
than as specifically authorized will be prosecuted
under all applicable statutes plus all applicable
civil rules for damages.
------------------------------------------------------------------------
You have mail.
Last login: Sun Aug 19 05:15:37 2012 from oedt01
$ _
But then I thought, what I need to do a bunch of servers, even that could be tedious. So let's add some more code. First we need to make a list of the servers we want to update and save them to a file.
servers:
[data]
typo1
oesrvr1
...
[/data]
Now we need to use the original code and add a routine to read the server names from a file. That allows us to just type in one command and do all the servers. If we need to add a new server to the list, you just add it to the servers file. One bit of caution is that if you have run the program before, you do not need to do it again on prepared servers. Rename the existing servers file and start a new servers file.
srvrsshupdate.sh:
[code]
##################################### Update remote ssh server keys
# by the sysadmin
# date: 08/19/2012
#=================================
# Assignments
# --------------------------------
# servers has list of servers to update (s/b 1 server name per line)
servernamefile="servers"
# end assignments
#=================================
#
# Just do it. (main loop)
#---------------------------------
while read line
do server= $line
scp .ssh/id_dsa.pub $server:~/.
ssh $server 'cat id_dsa.pub >> .ssh/authorized_keys'
ssh $server 'rm ~/id_dsa.pub'
done < $servernamefile
# end of main loop
#==================================
# End of job
###################################
[/code]
Alternative code:
[code]
# invoke with ./Installkey.sh servername
# set up the .ssh dir if it does not exists
DIRECTORY=",ssh"
ssh $1 'if [ ! -d "$DIRECTORY" ]; then mkdir $DIRECTORY ;chmod 700 $DIRECTORY ; fi'
# copy the key
scp $DIRECTORY/id_dsa.pub $1:~/.
# install the key
ssh $1 'cat id_dsa.pub >> $DIRECTORY/authorized_keys'
ssh $1 'chmod 600 $DIRECTORY/authorized_keys '
# remove the public key you just copied
ssh $1 'rm ~/id_dsa.pub'
[/code]
Enable
$ chmod +x srvrsshupdate.sh
Run it
$ srvrsshupdate.shMy desktop bit the dust I decieded to put a new install of linux (Debian replaced Ubuntu.) You really should not use old ssh keys, so I regenerated a new key and proceeded to update all the servers.Step 9:
$ ssh oesrvr1 "kitt"