Friday, August 24, 2012

Password-less SSH





How to Setup Password-less SSH Using Public - Private Keys



This HOWTO is a step-by-step guide for configuring and using password-less SSH service on Linux systems and is intended for a technical audience, Linux system administrators and security people in corporations and organizations that want to use password-less SSH service on their Linux systems.
The term "password-less" means that SSH authentication is carried out by using public and private keys. Using public/private key authentication with SSH enables SSH logins without requiring passwords interactively and this is known as SSH key-authentication.
There are many reasons why you would want to use password-less SSH service on your Linux systems. For example, if you are a system administrator and responsible for managing a lot of Linux systems then you probably know the difficulty to remember and provide login information for each different system. Also some of the services on your Linux box (such as back up scripts, cron jobs, cvs service and etc.) may require automatic logins to other systems in order to perform their tasks non-interactively. Password-less SSH configuration can help you with such situations.

Before You Start

Before getting involved with the details of the configuration, we need to cover some topics with SSH protocol and related programs.
There are currently two versions of the SSH protocol in use, called SSH1 and SSH2. The SSH1 version is not widely used anymore. This is because of the fact that the SSH1 protocol can be successfully attacked through its connection setup protocol and therefore it is not considered secure anymore. The SSH2 protocol has a more robust connection-setup protocol, and is also more flexible.
Additionally, there are two commonly used packages for the SSH2 protocol- the commercial version, from www.openssh.org. The OpenSSH version is included with most Linux distributions and its more widely used. The rest of this document will assume that you are using OpenSSH.
Thought this HOWTO it is assumed that you have a working SSH service already setup on your server and on client systems. This means you have generated your public and private keys and can normally login to your SSH server by providing username and password information. Although SSH key generation process is shown within this document, this document is not meant to be a definitive guide on how to install and configure SSH server and client programs and for such information have a look at the documentations at www.openssh.org as well as to the man pages of SSH.
During this HOWTO, we will use the following terminology to present the technical details.
  • Server : The machine that runs the SSH server service and that one you want to login without passwords.
  • Client : The machine that you use as a client to connect to the server
  • Server IP : Server's IP addresses
  • Client IP : Client's IP addresses

Generating Your Keys


For the completeness of this HOWTO, we will start with generating keys for the password-less SSH configuration. As mentioned before, the basic of using SSH without typing your password is public key based authentication. For this purpose, you need to generate a pair of public/private keys on your client system. In order to generate public/private keys on your client system use the ssh-keygen program within a terminal as shown in Figure 1.
 
Figure 1 Creating Public/Private Keys
The -t option used within the above command, simply tells the ssh-keygen program that you want to produce SSHv2 RSA keys. If you want to generate DSA keys, just replace the RSA with DSA within the above command.
When executed this command will prompt you for a secret passphrase. Just press the enter key when prompted for a passphrase, which will make a key with no passphrase. With no passphrase we will be able to login to the remote server without any passwords. However keep in mind that, using your identity keys with no passphrase possesses security risks and you should really think it twice. Especially if you have many users on your client system, you should definitely make necessary access control configurations to your identity keys so that they are accessible only by you. A value of 600 file permission settings on your identity keys can help you for this purpose.
This command will generate a pair of keys - private and public, in the .ssh directory in your home directory. For example if you use the rootuser, than keys will be generated within /root/.ssh directory and say if you use the joe user than keys will be generated within /home/joe/.sshdirectory. You can identify these newly created private and public keys with the id_rsa and id_rsa.pub names. The id_rsa key file is the private key and the id_rsa.pub file is the public key generated by the ssh-keygen program.

Copying Public Key to the Server


After you have created the public/private key pairs on your client machine, you need to copy the newly created public key to the server. Actually, you need to add your client's public key to the server's authorized_keys2 file. You need to perform this operation to inform the server about your client's public key and to enable server to encrypt communications with this key during a session with your client.
In order to copy the client's public key named as id_rsa.pub to the server, you can use any file transfer utility available on your server, such as ftp or sftp. However since you have an already running SSH daemon on the server, you should be able to use scp to transfer public key to the server. Just issue the following command shown in Figure 2 to transfer the key file to the server.


 
Figure 2 Copying Client's Public Key to SSH Server
In the above command 192.168.0.4 IP is just the IP addresses of SSH server. You should definitely change this IP to your server IP addresses. When prompted supply your password to the server (and hopefully this will be the last time that you enter a password for your server!).
The above transfer command simply copies your client's public key to server with the name authorized_keys2. This will enable SSHD on the server to use your client’s public key during communication. However note that if you have more than one client that you want to login from without supplying passwords then you simply should add these clients' public keys to the server's authorized_keys2 file. For this purpose, you can simply cut and paste the clients' public key to the authorized_keys2 file on the server or just can use simple Linux commands to add your clients' public keys. An example of adding clients' public keys to the server's authorized_keys2 file using Linux commands is shown in Figure 3.


 
Figure 3 Adding Multiple Clients' Public Keys to Authorized_keys2 File using Linux commands
Certainly, you don't want normal system users to alter the server's authorized_keys2 file. Therefore change the file permission settings of this file to the 600 as shown in Figure 4.


 
Figure 4 Setting File Permissions for the Authorized_keys2 File
After performing these operations you are done! Your server is ready to accept SSH connections from your client without requesting a password.

Testing and Using SSH without Passwords


After completing the configurations presented in the previous sections, now you are ready to test your password-less SSH login configuration. In order to perform this test, just login to your client machine with the username that you have used to create the identity keys. That's if you have used the root user before while creating the public/private keys then use the root user, or say for example if you have used the joe user than login with the joe user.
After you login, simply open a new shell terminal within your client box and type the following command to connect to the server.
This command simply requests a SSH login session from the server and if the configurations that we have performed previously are correct, server should let us login in without requesting password. The output of the above command should be similar to the shown in Figure 5 and you should now be within a server terminal. You are done!


 
Figure 5 Password-less SSH Login
If you can't login to the server and the server is still asking password to you then there is a configuration error with your SSH server. In this situation check the steps we have gone through previously to verify all the configurations are correct. Especially be sure you have included the client's public key to the server authorized_keys2 file as well as all the permissions on the key files are correct. Also be sure you are using the same user account to login to the server that you have used to create the keys.
You can use password-less SSH configuration for various purposes. For example you may want your programs (such as your backup scripts) to securely copy files from one machine to another. In this case you can use this configuration to perform the desired operations. Another usage may result from your need to run the same command on various machine at the time. You can write a small script that runs the desired command on many computers with password-less SSH configuration.

Further Notes and Reading


Learn Security Online (LSO) would be delighted for you to send any corrections or comments you may have toemre@learnsecurityonline.com. If you also really need help LSO technicians would be delighted to help you.
For a comprehensive understanding of RSA/DSA authentication and key management, look at the IBM’s Common threads: OpenSSH key management, Part 1 article. Also use the Manuals that present within the www.openssh.org web site for obtaining detailed information on SSH and its usage.


No comments:

Post a Comment

I would be glad to know if this post helped you.