Wednesday, August 15, 2012

How to configure a SSH connection with no password

This is needed to:
  • Move from a system's user to another system's user without typing the password.
  • Allow automatic scripts to execute remote commands or copy / move data from one system to another.
Be aware of:
  • If the user account you use to connect to remote systems is hacked, all your systems might be compromised.
  • Do not allow root user to remotely connect without password unless necessary, for the risk is higher.
  • The configuration is not bidirectional. You must do all the steps to configure the connection back from the remote to the local system.
In my case, I will show you how to configure a SSH connection from the user sergio of the local system odin (Ubuntu 12.04 with kernel 3.2.0-29) to the user coord of the remote system mudel (Debian 6.0 with kernel 2.6.32-5).

The steps are:
  1. Create a pair of keys (public and private) in the user's home of the system you will use to connect to the remote system. The command to use is ssh-keygen.
    You can change the filenames where your keys will be stored.
    When asked about the passphrase, keep it empty, otherwise it will be required when establishing a connection to the remote system.
    sergio@odin:~$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/sergio/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/sergio/.ssh/id_rsa.
    Your public key has been saved in /home/sergio/.ssh/id_rsa.pub.
    The key fingerprint is:
    ce:bb:e5:75:e4:8f:23:67:09:12:c8:9c:39:ad:3e:bd sergio@odin
    The key's randomart image is:
    +--[ RSA 2048]----+
    |                 |
    |                 |
    |       o =       |
    |        B o      |
    |        So .  .  |
    |       o. . .o   |
    |       .o.....o. |
    |        o+....=o |
    |        ooE. +...|
    +-----------------+
  2. A directory .ssh will be created, containing the two files. Be aware of keeping the permissions of the private key file (id_rsa) readable only by the owner.
    sergio@odin:~$ ls -l .ssh
    total 8
    -rw------- 1 sergio sergio 1679 ago 15 11:46 id_rsa
    -rw-r--r-- 1 sergio sergio  393 ago 15 11:46 id_rsa.pub
  3. Append the content of the public key file (id_rsa.pub) to the file ~/.ssh/authorized_keys of the remote system. To do so, you might send it by e-mail, copy and paste, remote copy to a temporary file or use the ssh-copy-id tool, which will do all the work.
    sergio@odin:~$ ssh-copy-id coord@mudel
    The authenticity of host 'mudel (192.168.56.1)' can't be established.
    RSA key fingerprint is 0c:48:50:6c:67:df:1f:8c:ac:22:c2:ee:0b:a8:98:55.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'mudel,192.168.56.1' (RSA) to the list of known hosts.
    coord@mudel's password:
    Now try logging into the machine, with "ssh 'coord@mudel'", and check in:

      ~/.ssh/authorized_keys

    to make sure we haven't added extra keys that you weren't expecting.
  4. The first time you establish a SSH connection, the fingerprint of the origin system will be shown and you will be asked if it should be append to the ~/.ssh/known_hosts file of the remote system. Answer yes.
  5. Now try to connect.
    sergio@odin:~$ ssh coord@mudel
    Linux mudel 2.6.32-5-686 #1 SMP Tue Mar 8 21:36:00 UTC 2011 i686

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Wed Aug 15 12:07:26 2012
    coord@mudel:~$

No comments:

Post a Comment