Tags

, , , , , , , , ,

If you’re using OpenSSH to connect to remote Linux machine, then this may come as bliss. This is based on public key authentication — (1) create a key-pair — a private and a public one, and then (2) save the public key in the authorized_keys file in the remote machine. Next time when you login using SSH to the remote server from the local machine where you have saved the private key, you won’t have to enter the password! Isn’t it cool? OK, now let’s get down to business, shall we?

Step 0: Make sure the RSA and public key authentication methods are enabled (which are in general enabled by default) in /etc/ssh/sshd_config on the remote machine — it should look like the following:

RSAAuthentication yes
PubkeyAuthentication yes

and then reload the configuration if you had to modify it

$ sudo /etc/init.d/ssh reload

You need the administrative rights for the above.

.

Step 1: Use the command ssh-keygen to create the key pair:

$ ssh-keygen -t rsa

Save the key to the default location, viz. ~/.ssh/id_rsa. When you hit enter, it’ll ask you for a passphrase — leave it empty (see warning below). You need to hit enter once more to confirm it.

Now if you go to ~/.ssh directory, you’ll see that two new files are created: id_rsa (your private key — don’t lose it or give it to somebody else!) and the public key, id_rsa.pub.

.

Step 2: We need to append the public key to the authorized_keys file or save the key as a new file with the name authorized_keysX (where X is a number to avoid conflict) in ~/.ssh directory on the remote machine. We’ll use the fancy vi trick that we saw earlier:

$ vi scp://remoteuser@remote.machine.com//home/remoteuser/.ssh/authorized_keys

Enter your password when you’re asked. Once the vi window opens up, go to the end of the file (hit Shift+G) and then append the public key file

:r id_rsa.pub

assuming you’re still in the ~/.ssh directory on the local machine. Next, save the file and exit.

Note: you may also use

$ ssh-copy-id remoteuser@remote.machine.com

to automatically put the ID in the desired place.

Now you are all set to login to the remote machine using ssh without a password!

.

WARNING: The big security concern and a work-around (still being lazy!)

The ease of this method has a very strong downside: if the local machine is compromised the attacker will waltz onto the remote machine. A way out of this is to protect your private key with a non-empty passphrase. That also means every time the machine requires access to the private key (i.e., every time you login to the remote machine where you saved your public key), you have to enter the passphrase. What’s the use of this hoopla then — you may ask. Well, when there is a wish there is a way too — by committing the key to the  local system’s `memory’ so that you type the passphrase once and only once for the whole session.

OK. Let’s first change password to a non-empty string, shall we?

$ ssh-keygen -p

It’ll ask for the location of the key. Then you’ll have to enter a passphrase and verify it (don’t leave this empty this time).

Next make the system remember your key:

$ ssh-add

It’ll ask for the passphrase (in order to ‘unlock’ your private key) and then for the whole session you won’t need any password/passphrase to login to the remote machine.

.

READ MORE: here and here.

Advertisements