DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,254
Thanked 182 Times in 149 Posts
Default Howto: Setting up public key password-less 'ssh' access

Howto: Setting up public key password-less 'ssh' access
  • Introduction
  • Generate public and private RSA key pair with 'ssh-keygen'
  • View the RSA key pair
  • Copy the public key 'id_rsa.pub' to the server
  • Check the '.ssh/authorized_keys' file
  • Home work/assignment
Introduction

Buried rather deep in the ssh(1) page, a very terse outline is given how public key authentication works, how to create keys and distribute them.

For more information about public key authentication see http://en.wikipedia.org/wiki/Public-key_cryptography.

Code:
     Public key authentication works as follows: The scheme is based on pub-
     lic-key cryptography, using cryptosystems where encryption and decryption
     are done using separate keys, and it is unfeasible to derive the decryp-
     tion key from the encryption key.  The idea is that each user creates a
     public/private key pair for authentication purposes.  The server knows
     the public key, and only the user knows the private key.  ssh implements
     public key authentication protocol automatically, using either the RSA or
     DSA algorithms.  Protocol 1 is restricted to using only RSA keys, but
     protocol 2 may use either.  The HISTORY section of ssl(8) contains a
     brief discussion of the two algorithms.

     The file ~/.ssh/authorized_keys lists the public keys that are permitted
     for logging in.  When the user logs in, the ssh program tells the server
     which key pair it would like to use for authentication.  The client
     proves that it has access to the private key and the server checks that
     the corresponding public key is authorized to accept the account.

     The user creates his/her key pair by running ssh-keygen(1).  This stores
     the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
     2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
     ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory.  The us-
     er should then copy the public key to ~/.ssh/authorized_keys in his/her
     home directory on the remote machine.  The authorized_keys file corre-
     sponds to the conventional ~/.rhosts file, and has one key per line,
     though the lines can be very long.  After this, the user can log in with-
     out giving the password.
These steps of the last paragraph are a little bit confusing because 'ssh' knows a ssh protocol 1 and a protocol 2. And in addition, two types of public keys are supported: RSA and DSA.

SSH protocol 1 is unsafe and should be avoided. See the Wikipedia ssh article.

Leaving out the protocol 1 stuff and only choosing RSA keys the procedure can be rephrased as follows:

Code:
    The user creates his/her key pair by running ssh-keygen(1).

    This stores the private key in ~/.ssh/id_rsa (protocol 2 RSA)
    and stores the public key in ~/.ssh/id_rsa.pub (protocol 2 RSA)
    in the user's home directory. 

    The user should then copy the public key to ~/.ssh/authorized_keys
    in his/her home directory on the remote machine.
Generate public and private RSA key pair with 'ssh-keygen'

From ssh-keygen(1):

Code:
     ssh-keygen generates, manages and converts authentication keys for
     ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1
     and RSA or DSA keys for use by SSH protocol version 2.  The type of key
     to be generated is specified with the -t option.  If invoked without any
     arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2
     connections.
Not being lazy we specify the RSA key type with the -t option.

Code:
$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/j65nko/.ssh/id_rsa): Enter 
Created directory '/home/j65nko/.ssh'.
Enter passphrase (empty for no passphrase):  Enter 
Enter same passphrase again:  Enter 
Your identification has been saved in '/home/j65nko/.ssh/id_rsa'.
Your public key has been saved in '/home/j65nko/.ssh/id_rsa.pub'.
The key fingerprint is:
40:e5:83:2a:bf:20:61:92:73:c7:7e:b6:13:da:05:e1 j65nko@protogoras.utp.xnet
A public key can be secured with a passphrase. By specifying a passphrase you will be prompted for this phrase, instead of the login password of the remote box.
ssh-keygen(1) has this to say about the passphrase:

Code:
     The program also asks for a passphrase.  The passphrase may
     be empty to indicate no passphrase (host keys must have an
     empty passphrase), or it may be a string of arbitrary length.
     A passphrase is similar to a password, except it can be a
     phrase with a series of words, punctuation, numbers, whitespace,
     or any string of characters you want.  Good passphrases are
     10-30 characters long, are not sim- ple sentences or otherwise
     easily guessable (English prose has only 1-2 bits of entropy
     per character, and provides very bad passphrases), and contain
     a mix of upper and lowercase letters, numbers, and non-alphanu-
     meric characters.  The passphrase can be changed later by using
     the -p option.

     There is no way to recover a lost passphrase.  If the passphrase
     is lost or forgotten, a new key must be generated and copied
     to the corresponding public key to other machines.
The 'id_rsa' and 'id_rsa.pub' entries of the ssh-keygen(1) FILES section:

Code:
     ~/.ssh/id_rsa
             Contains the protocol version 2 RSA authentication identity of
             the user.  This file should not be readable by anyone but the us-
             er.  It is possible to specify a passphrase when generating the
             key; that passphrase will be used to encrypt the private part of
             this file using 3DES.  This file is not automatically accessed by
             ssh-keygen but it is offered as the default file for the private
             key.  ssh(1) will read this file when a login attempt is made.

     ~/.ssh/id_rsa.pub
             Contains the protocol version 2 RSA public key for authentica-
             tion.  The contents of this file should be added to
             ~/.ssh/authorized_keys on all machines where the user wishes to
             log in using public key authentication.  There is no need to keep
             the contents of this file secret.
View the RSA key pair

Because it did not already exist ssh-keygen created a '.ssh' directory with very restricted permissions

Code:
$ ls -ld .ssh
drwx------  2 j65nko  j65nko  512 Jun 16 20:27 .ssh
Also the private key 'id_rsa' has very restricted file permissions: readable and writable by user only.

The public key 'id_rsa.pub' is readable by the world.

Code:
$ ls -al .ssh
total 16
drwx------  2 j65nko  j65nko   512 Jun 16 20:27 .
drwxr-xr-x  3 j65nko  j65nko   512 Jun 16 20:28 ..
-rw-------  1 j65nko  j65nko  1675 Jun 16 20:27 id_rsa
-rw-r--r--  1 j65nko  j65nko   408 Jun 16 20:27 id_rsa.pub
Code:
$ cd .ssh
$ cat id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnziCaL2QQVhGcGwNxjHkviWFLMrIyAvtoZytyVH+UduCnhySenOzU46CXC6qTSojhkM8
v6a4nZA40DGy85VzjyBNDyughcQZLDYouZ1iRB/N9TWIxGbuIrUtjpAD+hZzG5NbJ5uiClUJGu9kt8eeO4id47dxaSKTjB+p073AoPk+
O8CGNFAUisqIvD4iE/BxuB8rT6VUdoVsJjEINQD3MvF83LCNft2oUSmNQOo4kExONas37IajCpnnQMAEDOduwroR2rSUyeXrmOunzZYl
== j65nko@protogoras.utp.xnet
Copy the public key 'id_rsa.pub' to the server

Code:
$ cat id_rsa.pub | ssh j65nko@192.168.222.44 'cat >>.ssh/authorized_keys' 

The authenticity of host '192.168.222.44 (192.168.222.44)' can't be established.
RSA key fingerprint is 1a:1f:ab:96:c7:ad:1a:3f:9c:e8:2d:73:0f:28:98:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.44' (RSA) to the list of known hosts.
j65nko@192.168.222.44's password: .......
Explanation of the command:

cat id_rsa.pub | ssh j65nko@192.168.222.44
The 'cat' program displays the contents of the 'id_rsa.pub>' on standard output. This output is piped through a ssh connection with 192.168.222.44, where it appeas on standard input.

The ssh connection is passed the command 'cat >>.ssh/authorized_keys', which will append the standard input to the file '.ssh/authorized_keys' on the 192.168.222.44 box. After this command has finished, the ssh connection will terminate.

IMPORTANT: Note the use of single quotes around the command. This is to prevent the current shell on the client machine from interpreting the shell ">>' file append symbols.

The ssh(1) FILES entry for 'authorized_keys':

Code:
     ~/.ssh/authorized_keys
             Lists the public keys (RSA/DSA) that can be used for logging in
             as this user.  The format of this file is described in the
             sshd(8) manual page.  This file is not highly sensitive, but the
             recommended permissions are read/write for the user, and not ac-
             cessible by others.
From now on we should be able to ssh in to 192.168.222.44 without being asked for a password.

But as a famous Dutch football coach said: "Each advantage has it's disadvantage". So walking away from you box while still logged in, will not only allow anyone access to your own box, but also to the 192.168.222.44 server!

Check the '.ssh/authorized_keys' file

We 'ssh' in to the server to double check our work.

Code:
$ ssh j65nko@192.168.222.44 'ls -ld .ssh ; ls -al .ssh ; tail -2 .ssh/authorized_keys' 

drwx------  2 j65nko  j65nko  512 Mar 10 01:55 .ssh
total 52
drwx------   2 j65nko  j65nko   512 Mar 10 01:55 .
drwxr-xr-x  50 j65nko  j65nko  7680 Jun 16 20:12 ..
-rw-r--r--   1 j65nko  j65nko  1216 Jun 16 20:31 authorized_keys
-rw-------   1 j65nko  j65nko  1675 Nov 11  2006 id_rsa
-rw-r--r--   1 j65nko  j65nko   402 Nov 11  2006 id_rsa.pub
-rw-r--r--   1 j65nko  j65nko  8493 Jun 14 03:09 known_hosts

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnziCaL2QQVhGcGwNxjHkviWFLMrIyAvtoZytyVH+UduCnhySenOzU46CXC6qTSojhkM8
v6a4nZA40DGy85VzjyBNDyughcQZLDYouZ1iRB/N9TWIxGbuIrUtjpAD+hZzG5NbJ5uiClUJGu9kt8eeO4id47dxaSKTjB+p073AoPk+
O8CGNFAUisqIvD4iE/BxuB8rT6VUdoVsJjEINQD3MvF83LCNft2oUSmNQOo4kExONas37IajCpnnQMAEDOduwroR2rSUyeXrmOunzZYl
== j65nko@protogoras.utp.xnet
Here we tell ssh to execute 'ls -ld .ssh ; ls -al .ssh ; tail -2 .ssh/authorized_keys' on the server 192.168.222.44.

As you can see we are not prompted for a password, nor a passphrase.

Another possibility not to be bothered with too much password stuff is to use 'ssh-agent'. But that is for another guide or howto

Home work/assignment

What is the sh command to set the recommended permissions of the 'authorized_keys' file?

$Id: ssh-nopasswd.xml,v 1.5 2008/08/20 01:37:17 j65nko Exp $
$Id: vbul-html.xsl,v 1.9 2008/08/20 01:26:20 j65nko Exp $
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 20th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

A very nicely done introduction, nice work j65nko.
Reply With Quote
  #3   (View Single Post)  
Old 20th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Yep -- good addition to the Guides forum.
__________________
Kill your t.v.
Reply With Quote
  #4   (View Single Post)  
Old 20th August 2008
Darwimy Darwimy is offline
Port Guard
 
Join Date: Jun 2008
Location: Germany
Posts: 36
Thanked 2 Times in 2 Posts
Default

Using ssh-agent isn't that difficult and makes things a lot easier especially if used with security/keychain. Just install keychain and add the following line to your .cshrc file:
Code:
eval `keychain --eval id_rsa`
Note the use of single backticks. This tells keychain to load the id_rsa file you created earlier. After this you don't have to start ssh-agent everytime you login.
Reply With Quote
  #5   (View Single Post)  
Old 31st August 2008
harisman's Avatar
harisman harisman is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Hellas (Greece)
Posts: 66
Thanked 5 Times in 4 Posts
Default

Actually is safer to use dsa instead of rsa
ssh-keygen -t dsa
Reply With Quote
Reply

Tags
public key, ssh

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec Tunnel - no public key found mikesg OpenBSD Security 4 7th October 2009 05:49 AM
secure ssh with public key milo974 OpenBSD Security 11 9th July 2008 04:52 PM
Apache on two servers but one public IP marco64 General software and network 2 4th June 2008 07:29 PM
OS to run in a public computer? Sunnz Off-Topic 31 23rd May 2008 05:47 PM


All times are GMT. The time now is 12:05 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick