Howto: Setting up public key password-less 'ssh' access
Howto: Setting up public key password-less 'ssh' access
Buried rather deep in the ssh(1) page, a very terse outline is given how public key authentication works, how to create keys and distribute them.
For more information about public key authentication see http://en.wikipedia.org/wiki/Public-key_cryptography.
Public key authentication works as follows: The scheme is based on pub- lic-key cryptography, using cryptosystems where encryption and decryption are done using separate keys, and it is unfeasible to derive the decryp- tion key from the encryption key. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically, using either the RSA or DSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use either. The HISTORY section of ssl(8) contains a brief discussion of the two algorithms. The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The client proves that it has access to the private key and the server checks that the corresponding public key is authorized to accept the account. The user creates his/her key pair by running ssh-keygen(1). This stores the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol 2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The us- er should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine. The authorized_keys file corre- sponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long. After this, the user can log in with- out giving the password.
SSH protocol 1 is unsafe and should be avoided. See the Wikipedia ssh article.
Leaving out the protocol 1 stuff and only choosing RSA keys the procedure can be rephrased as follows:
The user creates his/her key pair by running ssh-keygen(1). This stores the private key in ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine.
ssh-keygen generates, manages and converts authentication keys for ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2 connections.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/j65nko/.ssh/id_rsa): Enter Created directory '/home/j65nko/.ssh'. Enter passphrase (empty for no passphrase): Enter Enter same passphrase again: Enter Your identification has been saved in '/home/j65nko/.ssh/id_rsa'. Your public key has been saved in '/home/j65nko/.ssh/id_rsa.pub'. The key fingerprint is: 40:e5:83:2a:bf:20:61:92:73:c7:7e:b6:13:da:05:e1 firstname.lastname@example.org
ssh-keygen(1) has this to say about the passphrase:
The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not sim- ple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanu- meric characters. The passphrase can be changed later by using the -p option. There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and copied to the corresponding public key to other machines.
~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the us- er. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. ~/.ssh/id_rsa.pub Contains the protocol version 2 RSA public key for authentica- tion. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret.
Because it did not already exist ssh-keygen created a '.ssh' directory with very restricted permissions
$ ls -ld .ssh drwx------ 2 j65nko j65nko 512 Jun 16 20:27 .ssh
The public key 'id_rsa.pub' is readable by the world.
$ ls -al .ssh total 16 drwx------ 2 j65nko j65nko 512 Jun 16 20:27 . drwxr-xr-x 3 j65nko j65nko 512 Jun 16 20:28 .. -rw------- 1 j65nko j65nko 1675 Jun 16 20:27 id_rsa -rw-r--r-- 1 j65nko j65nko 408 Jun 16 20:27 id_rsa.pub
$ cd .ssh $ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnziCaL2QQVhGcGwNxjHkviWFLMrIyAvtoZytyVH+UduCnhySenOzU46CXC6qTSojhkM8 v6a4nZA40DGy85VzjyBNDyughcQZLDYouZ1iRB/N9TWIxGbuIrUtjpAD+hZzG5NbJ5uiClUJGu9kt8eeO4id47dxaSKTjB+p073AoPk+ O8CGNFAUisqIvD4iE/BxuB8rT6VUdoVsJjEINQD3MvF83LCNft2oUSmNQOo4kExONas37IajCpnnQMAEDOduwroR2rSUyeXrmOunzZYl == email@example.com
$ cat id_rsa.pub | ssh firstname.lastname@example.org 'cat >>.ssh/authorized_keys' The authenticity of host '192.168.222.44 (192.168.222.44)' can't be established. RSA key fingerprint is 1a:1f:ab:96:c7:ad:1a:3f:9c:e8:2d:73:0f:28:98:07. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.222.44' (RSA) to the list of known hosts. email@example.com's password: .......
cat id_rsa.pub | ssh firstname.lastname@example.org
The 'cat' program displays the contents of the 'id_rsa.pub>' on standard output. This output is piped through a ssh connection with 192.168.222.44, where it appeas on standard input.
The ssh connection is passed the command 'cat >>.ssh/authorized_keys', which will append the standard input to the file '.ssh/authorized_keys' on the 192.168.222.44 box. After this command has finished, the ssh connection will terminate.
IMPORTANT: Note the use of single quotes around the command. This is to prevent the current shell on the client machine from interpreting the shell ">>' file append symbols.
The ssh(1) FILES entry for 'authorized_keys':
~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the sshd(8) manual page. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not ac- cessible by others.
But as a famous Dutch football coach said: "Each advantage has it's disadvantage". So walking away from you box while still logged in, will not only allow anyone access to your own box, but also to the 192.168.222.44 server!
Check the '.ssh/authorized_keys' file
We 'ssh' in to the server to double check our work.
$ ssh email@example.com 'ls -ld .ssh ; ls -al .ssh ; tail -2 .ssh/authorized_keys' drwx------ 2 j65nko j65nko 512 Mar 10 01:55 .ssh total 52 drwx------ 2 j65nko j65nko 512 Mar 10 01:55 . drwxr-xr-x 50 j65nko j65nko 7680 Jun 16 20:12 .. -rw-r--r-- 1 j65nko j65nko 1216 Jun 16 20:31 authorized_keys -rw------- 1 j65nko j65nko 1675 Nov 11 2006 id_rsa -rw-r--r-- 1 j65nko j65nko 402 Nov 11 2006 id_rsa.pub -rw-r--r-- 1 j65nko j65nko 8493 Jun 14 03:09 known_hosts ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnziCaL2QQVhGcGwNxjHkviWFLMrIyAvtoZytyVH+UduCnhySenOzU46CXC6qTSojhkM8 v6a4nZA40DGy85VzjyBNDyughcQZLDYouZ1iRB/N9TWIxGbuIrUtjpAD+hZzG5NbJ5uiClUJGu9kt8eeO4id47dxaSKTjB+p073AoPk+ O8CGNFAUisqIvD4iE/BxuB8rT6VUdoVsJjEINQD3MvF83LCNft2oUSmNQOo4kExONas37IajCpnnQMAEDOduwroR2rSUyeXrmOunzZYl == firstname.lastname@example.org
As you can see we are not prompted for a password, nor a passphrase.
Another possibility not to be bothered with too much password stuff is to use 'ssh-agent'. But that is for another guide or howto
What is the sh command to set the recommended permissions of the 'authorized_keys' file?
$Id: ssh-nopasswd.xml,v 1.5 2008/08/20 01:37:17 j65nko Exp $
$Id: vbul-html.xsl,v 1.9 2008/08/20 01:26:20 j65nko Exp $
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|public key, ssh|
|Thread||Thread Starter||Forum||Replies||Last Post|
|IPSec Tunnel - no public key found||mikesg||OpenBSD Security||4||7th October 2009 06:49 AM|
|secure ssh with public key||milo974||OpenBSD Security||11||9th July 2008 05:52 PM|
|Apache on two servers but one public IP||marco64||General software and network||2||4th June 2008 08:29 PM|
|OS to run in a public computer?||Sunnz||Off-Topic||31||23rd May 2008 06:47 PM|