Thursday, April 22, 2010

Password-less SSH authentication

Assuming that you are managing a huge array of remote servers from multiple data centers and server collocated with different time zones. It would be a nightmare to remember how passwords are kept and updated.  There are custom based solutions to address these issues but if for example you don't have the luxury of creating such automation password vaults to remember these passwords instantly.  Then the next logical thing would be to employ password authentication, which will allow you to gain quick access to servers that needs your immediate investingation.  

Logging In Via SSH Without A Password

Quite often, you want to ssh into a remote server without having to enter a password. I use this mostly for scripts that I want to run non-interactively, like the rdiff-backup script I use for backing up my home computer to a remote server. SSH allows you to do this in a relatively secure way using public key authentication.
The first thing you’ll need is a working ssh server that you want to access, and an ssh client on the computer you want to access it from. ssh is such a common tool in linux, that the client should come pre-installed on your distribution. I’m assuming that you’re looking for answers on this topic because you already have an ssh server you want passwordless access to, so I’m not going to go into detail on setting up an ssh server – although I will cover setting up an existing ssh server for passwordless login.

setting up the server for passwordless login

You will need to make sure that the server will accept passwordless logins. This means you have to enable public key authentication on the server. To do this, open up /etc/ssh/sshd_config in a text editor (I would suggest nano or kate). Then make sure that the following two lines are uncommented, or if not there, add them in. To uncomment the line, remove the ‘#’ from the beginning of the line:
RSAAuthentication yes
PubkeyAuthentication yes
You will need to restart the ssh server. Do this with:
/etc/init.d/ssh restart
Finally make sure that permissions are right on the server. If there’s no ~/.ssh directory, make one:
mkdir ~/.ssh
Once you’ve got a ~/.ssh directory, change the permissions using:
chmod 700 ~/.ssh
that should be enough to setup the server side of things.

setting up the client side of the equation

First you’ll need to setup a keypair. If you already have the files ~/.ssh/id_rsa and ~/.ssh/, you should be good to go. If not, then you need to add them. Use the following command:
ssh-keygen -t rsa
You will then be asked some questions. Simply hit “Enter” to answer them all:
Generating public/private rsa key pair. 
Enter file in which to save the key (/home/skx/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:
Your identification has been saved in /home/skx/.ssh/id_rsa.
Your public key has been saved in /home/skx/.ssh/
Answering without putting in a password means that the keys can be unlocked without a password, which is the whole point of “passwordless” login. Now we can do a little magic. Previously when setting up passwordless logins with ssh, I’ve gone through a dance of copying keys from the local computer to the remote computer. However, now I’ve found a new programme that does all this automagically. So, type this into a terminal:
ssh-copy-id -i ~/.ssh/ username@remote_host
Obviously you will need to replace “username” with the user you want to login as on the remote computer, and “remote_host” with the ip/hostname of the ssh server. This command will ask you for a password – don’t be alarmed; this sets up the passwordless-ness, so needs a password to do it. Once you’ve done this, you should be good to go. Try logging into the remote server, and you should be password free.

No comments:

Post a Comment