iamjerryyeung

Friday, February 17, 2006

ssh no password

http://www.emsei.psu.edu/ecf/alt/general/ssh.html

Example
Let's say you want to run a remote command on the machine "beta" from the machine "alpha" without supplying a password. Instead of authenticating using a password, you can use the command ssh-keygen to create a pair of public and private keys that can be used for authentication.



The first step is to create a set of public and private keys that uniquely identify your userid on "alpha". Log into alpha and run the command:
alpha% ssh-keygen -t rsa -N ''

(This command can take a long time to run on some machines). When it asks you what file you would like to save your key as, you can just press return, to accept the default location. This will create two files on alpha:

alpha% ls -l /home/woods/.ssh/id*
-rw------- 1 woods woods 530 Feb 8 18:13 /home/woods/.ssh/id_rsa
-rw-rw-r-- 1 woods woods 334 Feb 8 18:13 /home/woods/.ssh/id_rsa.pub
The id_rsa file contains the private key (note that it is not world or group readable) that represents your identity on that particular machine. The private key should never be transferred from the machine or have its modes changed. The id_rsa.pub file is the public key, which is world-readable. ssh and other programs can use this key to encrypt messages that only you can decrypt using the private key.
The -N '' argument to ssh-keygen specifies that there should be no password associated with these keys. Keys can have passwords just like accounts, but that would defeat the purpose here.


The next step is give alpha's public key to beta, and tell beta that alpha is authorized to run remote commands using RSA authentication.
You do this by copying the contents of alpha's id_rsa.pub (not id_rsa!) to a file called authorized_keys2 in your .ssh directory on beta:

beta% cd ~/.ssh
beta% ssh alpha 'cat .ssh/id_rsa.pub' >> authorized_keys2
alpha's public key is now in the authorized_keys2 file on beta, telling beta that alpha is authorized to use RSA authentication to log in.
By the way, it's fine to have more than one key in the authorized_keys2 file, in case you need more than one host to be able to do RSA authentication to beta.


The last step is to make sure the authorized_keys2 file on beta has modes 600. This ensures that no one else can view this file.
beta% chmod 600 authorized_keys2
beta% ls -l authorized_keys
-rw------- 1 woods woods 662 Feb 8 18:04 .ssh/authorized_keys2
The first command removes all of the bits for "group" and "world" permissions, making

0 Comments:

Post a Comment

<< Home