Cerebro Seco

Se faciliter la vie informatique sans sacrifier ses principes!

Aller au contenu | Aller au menu | Aller à la recherche

Non-interactive SSH login with SSH key

ODT

Why non-interactive? Simply because it allows for a machine to connect to another through SSH, without a user having to manually type in a password. Very useful for unattended connections.

Difficulty: easy

The ordinary SSH login process relies on a password entered when the destination address is reached. While this is fine when a user wants to access a remote machine, times happen when an unattended connection between two computers need to be achieved. Obviously I am quite sure there would be a program somewhere that would type the password automatically, but that would add yet another layer of complexity.

So the solution here is to rely on so-called authentication keys. If computers on both side of the SSH tunnel are trusted and not compromised, then authenticating through a key is more secure than using a password. A significant drawback though, if the key is lost or corrupted, through common hard drive failure, for example, there's no way to log in remotely into the server, especially if you disabled password login for increased security. Of course it can be mitigated with a proper backup plan.

On the computer that will initiate the connection:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/a/.ssh/id_rsa):
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Don't enter a passphrase! That would defeat the intention of having an unattended login process! And of course your key fingerprint will be different.

Now, login on the remote computer using normal password method, and add the generated public key to the list of authorized_keys.

ssh login@remote_computer
login@remote_computer password:

The .ssh folder should be at the / folder with most common configurations. Just add the key using cat.

cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'

You can also add the key with ssh-copy-id:

$ ssh-copy-id -i login@remote_computer
The authenticity of host 'remotecomputer (192.168.1.134)' can't be established.
RSA key fingerprint is   96:7c:96:7c:96:7c:96:7c:96:7c:96:7c:96:7c:96:7c
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remote_computer,192.168.1.134' (RSA) to the list of known hosts.
login@remote_computer's password:
Now try logging into the machine, with "ssh 'login@remote_computer'", and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Logout from the remote computer, then try to initiate connection

ssh login@remote_computer

You should not be asked for any password or passphrase, just be dumbed straight to the / folder.

If you're satisfied with the reliability and have a backup of both public and private keys, then it's time to disable password authentication:

nano /etc/ssh/sshd_config

Check and correct accordingly:

RSAAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

And restart the SSH server:

/etc/init.d/sshd restart

Check that password authentication is really disabled:

$ ssh login@remote_computer -o PubkeyAuthentication=no

You should get an error message saying permission is denied, because pubkey.

Adapted from http://www.linuxproblem.org/art_9.html and http://www.lindonslog.com/linux-unix/ssh-keygen-keys/. and http://lani78.com/2012/07/21/generate-a-ssh-key-and-disable-password-authentication-on-ubuntu-server-12-0/

Additional info: http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/ and https://help.github.com/articles/generating-ssh-keys/

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

La discussion continue ailleurs

URL de rétrolien : https://www.ftp83plus.net/dc/dotclear/index.php?trackback/105

Fil des commentaires de ce billet

Creative Commons License
Cerebro Seco by http://cerebroseco.ftp83plus.net is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Based on a work at http://cerebroseco.ftp83plus.net.