Tuesday, March 2, 2010

SSH login to remote servers without password.

Hello guys this time I give you a how-to for logging into a remote server/desktop without being prompted for password.

SSH or Secure Shell is a program that allows you to log into a remote machine over a network and execute commands. It also allows you to move files from one computer to another. All the communication including password transmission are highly encrypted. Hence it can be used to create a secure communication over insecure channels. It protects a network from attacks like DNS spoofing, IP spoofing and IP source routing. Thats the reason why the SSH has effectively replaced older remote log in protocols like rlogin, rsh, rcp, telnet etc!!!!!

While using SSH log in entire communication including password transmission is is encrypted. SSH uses 3DES, Blowfish, AES and arcfour as encryption algorithms. So it is virtually impossible for a hacker to eavesdrop your password. Here I will describe how to create a secure communication channel between two servers securely and enable password-less login between them. This would be quiet useful while using scripts for logging into remote machines and executing commands. You don't have to store the remote machine's password in the script and also it is quiet annoying to type in password every time you log in to the remote machine via SSH.


I guess you have installed the 'openssh' package in all the machines!!!

Step1: Generate ssh keys.

Here I am going to use rsa instead of older dsa method.
Now log into your server for example node1 as the user you wish to make password less SSH connection. This is important that you have to create a keys for every user you wish to make password less ssh connection. Although it may sound crazy I am going to use 'root' user as example here.
For generating the cryptographic keys:

# ssh-keygen -t rsa

This will ask you for a passphrase. But what we need here is to have a opassword-less entry or secure password-less remote command execution. So we are not specifying any passphrase.. Just leave it blank.
Sample output:

Enter the file in which you want to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter the same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.


Remember to we are not giving any passphrase!!!
As I wrote in the sample output this will create two files in ~/.ssh directory:

1. ~/.ssh/id_rsa: which is your private key.
2. ~/.ssh/id_rsa.pub: which is your public key.

Now for simplifying the processes we can copy the entire contents of the .ssh directory to the trusted remote servers. This will make the communication between these server password less and completely encrypted.


Step 2: Copy the contents of .ssh directoryto the remote server.
For copying a files you can use the scp command as follows:

# scp -r path-to-file user@hostname:path-to-file

Here we have to copy the public key to the file authorized_keys2 in .ssh directory, so
# scp -r ~/.ssh/* root@node2:~/.ssh/

Now you will asked for the remote server's password and type in it and it will copy the entire folder to the remote server 'node2'.

Login to the remote server and make sure that the permissions are set correctly.

# ssh root@node2

For the first time you may be asked to type in the password Never bother!!!!!

The private key should have permission set to '0400' and should be readable to 'root' only.

      # cd ~/.ssh/
     # chown root:root ./id_rsa
     # chmod 0400 ./id_rsa

Check these persission sets in all the servers. It is very important!!!!!

Yes you are done. Now you can ssh to remote servers and execute commands without using password. this is highly useful when using scripts for taking remote backups.


However this method is not recommented for mission criticle serers having sensitive information because we are not using a passphrase for connection. But there is a work around for this too. We can use an application called 'keychain' for securily storing the passphrase. This will further enhanse the security. I will give you a how-to for this highly secure ssh communication using keychain in my next post!!!

NOTE:
Here I have created the private and public key pair for the user root. Now if you want to have password less access for other users you should do the steps above for each users. That is you have to create the public/private key pairs and 'append' the content of the public key to the authorized_keys2 file in the remote server.

Cheers,
JK

No comments:

Post a Comment