Logging into a unix box without a password
From time to time I need to allow one user to log into another machine without being prompted for a password. This is extremely useful for anything that is automated for example doing the nightly backup which copies files across the network or running commands on the other machines. ssh is the program that allows one to login over and encrypted channel but it doesn’t allow you to specify the password on the command line as it would be a huge security risk.
We are going to set up a relationship between 2 computers using a public/private pass key. For the example below we’ll use 2 machines called william and catherine.
- Ensure you have OpenSSH installed:
yum install openssh
- Open a command line session on william.
- To make life a little easier for ourselves login to catherine using ssh, accept the key fingerprint and then exit straight away.
[root@william ~]# ssh root@catherine The authenticity of host 'catherine (10.0.0.69)' can't be established. RSA key fingerprint is 3b:4f:1f:cb:44:56:9b:7f:96:a6:6a:c2:d6:bc:a6:df. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'catherine' (RSA) to the list of known hosts. root@catherine 's password: Last login: Thu Aug 9 16:18:35 2012 from catherine [root@catherine ~]# exit logout Connection to catherine closed. [root@william ~]#
This will set up the~/.ssh
folder with the correct permissions and also will create a file in there calledknown_hosts
. This file contains the key fingerprints for catherine. If we talk to other hosts later, then they will get added here too. Do the same from catherine to make sure all the folders are set up correctly on that side too. - Generate a public and private key pair and save them to
william.pub
andwilliam
respectively.ssh-keygen -t dsa -f william -N ""
giving the result:Generating public/private dsa key pair. Your identification has been saved in william. Your public key has been saved in william.pub. The key fingerprint is: 48:2f:e6:bf:02:7e:2e:d2:b0:9a:1f:c6:7f:99:92:93 root@william The key's randomart image is: +--[ DSA 1024]----+ | | | . | | o + | | . = | | S . | | o. . . | | o == . . | | E *o.o + . | | o*o...o o. | +-----------------+
Note: The -N option allows you to specify a passphrase. If you do then each time you need to use the public key you’ll have to enter the passphrase in order to decrypt it for use. Using an extra passphrase here will mean we won’t be able to make it automatic and our dreams of automating our backups will be gone :( - Now that we have the keys for william we’ll transfer the public key over to catherine.
scp william.pub root@catherine:~/.ssh/
whenwilliam.pub
arrives on catherine it’ll look something like:ssh-dss AAAAB3N……f1Jew== root@william
make sure that the last part (root@william) is accessible i.e. can you ping william from catherine. If you can’t then you can edit the william.pub file and change it toroot@10.0.0.1
where 10.0.0.1 is the IP address or name of william. - catherine must have a file containing all the public keys that it is authorised to use. This file is called
~root/.ssh/authorized_keys
so addwilliam.pub
to the end of it.cat william.pub >> authorized_keys
or if you have lots to do:cat *.pub > authorized_keys
ssh -i william root@catherineIf you don’t want to specify the local private file on the command line all the time you can rename
william
to the default name of id_dsa
:
mv william id_dsathen try to login:
ssh root@cathrine
No feedback yet
Form is loading...