ssh, scp without password to remote host (Look Ma, no Password !)

12053

Here I’m, back again on SSH stuff, as you can see from my previous posts (search blogger name = “ben”) OpenSSL and SSH stuff is very interesting and useful for me, so I wrote down a lot of notes on them, this time I’ll show you how to connect to an SSH host without password input.

Yeah, I know, there’re a lot of folks all around explaining you how to do that but I promise to make it easy ‘n’ dirty, without hassling you too much, just the basic steps for connecting to your remote host and make it working.

What would you do with this tutorial ? for example:

  • you can ssh to your remote host without requiring a password, this is safe and secure (it uses SSH public/private keys) until you keep your private keys for yourself. A quite recurring task if you’ve a lot of machines to manage
  • Copy files from an host to another, not only as utility but even for basic administration task, if you manage a network you know what I mean
  • Grant someone access to certain hosts for his job (be careful ok ?)
  • Use all the other SSL suite across hosts, this is not only for ssh or scp, all SSL suite is involved, look at my articles on SSH port forwarding for example, there are a lot of them (blogger: ben)
  • Impress your boss or whatever you’d like


Ok, let’s get started

Let’s assume you’ve two hosts:
mylocal – the host from where you want to connect
myremote – the host where you want to connect to

 

1) From mylocal create an ssh rsa key pair for host validation, here’s how: 

mylocal:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@mylocal
The key's randomart image is:
+--[ RSA 2048]----+
....
+-----------------+

2) Now you need to copy the public key to your remote host, do NOT copy the private key, obviously use scp to do this

mylocal:~# scp ~/.ssh/id_rsa.pub myremote:~
Password:
id_rsa.pub 100% 391 0.4KB/s 00:00

so now you’ve your public key copied fine, let’s connect to remote host now

 

3) Connect to your remote machine (myremote)

mylocal:~# ssh root@myremote (root or your remote username)
Password:
Last login: Wed May xx xx:xx:xx xxxx 2009 from mylocal on ssh
myremote ~ #

4) Check out .ssh stuff, if .ssh dir doesn’t exist you need to create it

myremote ~ # ls -la ~/.ssh
ls: cannot access /root/.ssh: No such file or directory

If you get something like this you need to create the dir, so:

myremote ~ # mkdir .ssh
myremote ~ # chmod 700 .ssh

5) Now copy your ssh public key into authorized keys file and delete it when finished, so:

myremote ~ # cat ~/id_rsa.pub >> .ssh/authorized_keys
myremote ~ # chmod 600 .ssh/authorized_keys
myremote ~ # rm id_rsa.pub

NOTE: If you’ve a Debian remote host you MUST use this instead:

myremote ~ # cat ~/id_rsa.pub >> .ssh/authorized_keys2
myremote ~ # chmod 600 .ssh/authorized_keys2
myremote ~ # rm id_rsa.pub

First row is used for all major distros (Gentoo in my real example), Debian users must use the second one, check your ssh man page for details on your setup (first is the most common case)

6) FINAL TEST
Ok let’s go back to our local host and try to make something to see what happens:

mylocal:~# scp example.file root@myremote:/tmp/
example.file 100% 169 0.2KB/s 00:00
mylocal:~# ssh root@myremote
Last login: Wed May xx xx:xx:xx xxxx 2009 from mylocal on ssh
myremote ~ # ls -la /tmp/example.file
total 1
-rwxr-xr-x 1 root root 169 May xx xx:xx example.file

Did you see it ? I’ll hope so.
As you can see you can copy or connect to host without supplying passwds

Note (read)

Sometimes additional configurations are requested on remote ssh daemon, this may vary from your distro setup and basic security configuration, if final test failed you’ll probably have PublicAuthentication or RSA disabled.
In this case you need to change them, don’t worry it doesn’t affect or lower your current security, tipically this change is done by editing /etc/ssh/sshd_config file, you need root access for it.
sshd_config path may vary between different distro even it’s the most common name

To get the correct configuration, see that the following attributes are set (not commented or set to “no”) in your sshd_config file

RSAAuthentication    yes
PubkeyAuthentication yes

If you change sshd_config file with these values you need to restart ssh daemon (something like: /etc/init.d/sshd restart)

 

Hope it helps someone
Let me know if you need help or further suggestions
Andrea Benini Ben