You can login to a remote Linux server without entering password in 3 simple steps using ssky-keygen and ssh-copy-id .
ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.
This is the new method. The Old Way To create passwordless ssh login is here : http://linux-server-admin.blogspot.com/2012/06/passwordless-ssh.html
Step 1: Create public and private keys using ssh-key-gen on local-host
jsmith@local-host$ [Note: You are on local-host here]
jsmith@local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Press enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith@local-host
Step 2: Copy the public key to remote-host using ssh-copy-id
jsmith@local-host$ ssh-copy-id '-i ~/.ssh/id_rsa.pub remote-host'
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
for example using username:
ssh-copy-id '-i ~/.ssh/id_rsa.pub root@remote-host.com'
or with port number of remote sshd and remote host's IP :
ssh-copy-id '-p 22 -i ~/.ssh/id_rsa.pub root@12.34.56.78'
Step 3: Login to remote-host without entering the password
jsmith@local-host$ ssh remote-host.com
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[Note: SSH should did not ask for password.]
jsmith@remote-host$ [Note: You are on remote-host here]
The above 3 simple steps should get the job done in most cases.
To get a password-less connection from local user1 to remote user2, copy the user1 public key(id_rsa.pub) to the remote user2 “authorized_keys” file using a pipe over ssh:
$ cat /home/user1/.ssh/id_rsa.pub |ssh root@remote_server ‘cat >> /home/user2/.ssh/authorized_keys’
DO NOT FOLLOW THIS RECIPE NAIVELY – it is very dangerous, since a key with no passphrase is the moral equivalent of dumping your password in a file in the clear. Anyone who gets even momentary access to your private key TOTALLY OWNS any accounts where you’ve installed the public part.
The only way you should use an unencrypted key (no passphrase) is if you can guarantee total and eternal security of the private part. This might be possible, but is highly unlikely. That said, there are just two responsible ways to use keys:
– encrypt the key by providing a passphrase when you generate it. this may seem strange, since to use it, you’ll need to provide the passphrase, which is presumably harder than a password. and *that* is why ssh-agent exists: it lets you supply the passphrase once, not every time. (you can have ssh-agent timeout the passphrase after a fixed time, or keep it as long as its running.)
- constrain the key wherever it’s installed, so that it can only perform some limited function. for instance, if the key’s purpose is to permit something unattended like a backup, use openssh’s “command=” syntax so that the key can only be used for that, not to get a shell or tunnel through firewalls. (“man sshd” to see the syntax for the .authorized_keys file – constraining a key to particular client machines is also a good idea, etc.)
Why does it not work as a regular user?
The tutorial works for me if I do it as root but that creates a security hole. When a create a user ‘user_ssh’ and follow the intructions, it seems to work but when I do
an ‘ssh hostname’ it asks me for:
Enter passphrase for key ‘/home/user_rsync/.ssh/id_rsa’:
I got it to work by adding quotes on the “ssh” statement. See my cron below:
———————
#!/bin/sh
# the line below works for root
#rsync -av –progress –stats –exclude “*.LCK” -e ssh user_rsync@remotehost:/home/www/ /home/www
# the line below works for none root user
rsync -av –progress –stats –exclude “*.LCK” -e “ssh -i /home/user_rsync/.ssh/id_rsa.pub user_rsync@remotehost:/home/www/” /home/www
One thing that worries me now is that before when the user was root the report creared only show and overall of totals when no files were transfered but now that I am doing the rsync as a regular user the email I get has a list of all the files even if no files were transfer. I hope some one is reading this.
“sshd will NOT ACCEPT an authorized_keys file if either directory ~/.ssh or ~ are writable by Group or Others”
SSH would still ask for a password.
This solved my problem.
Remove a user from a group:
‘sudo gpasswd -d user-to-remove group’
No comments:
Post a Comment