set up ssh for no remote password login

Passwords are not particularly secure. It’s hard to make, remember, and use one that is hard for programs to guess. Therefore, people who case about security frequently use a package called OpenSSH for logging into remote hosts to work instead of telnet. On Windows machines, this usually means using a program called ‘putty‘ instead of telnet (or other programs that run the telnet protocol), but you should probably use the directions for putty here, because they’re different than the instructions for MacOSX or unix clients generally. I’m writing this page because a couple of people I’ve worked with have asked me how to do this, hopefully it will benefit others as well.

This is called ‘public key authentication,’ and the first thing we’ll need is a key pair. The two parts of a keypair are the ‘public’ key and the ‘private’ key. The private key should remain on your server at all times, and the public key is what you put onto remote servers.

To generate the keypair, run this command on your local server:

ssh-keygen -t rsa

This will generate a keypair for you to use using a protocol called RSA which is one of two different protocols that SSH accepts for secure connections — the other is DSA. For heavy-duty secure use, you should look into the different protocols and keysizes, but for general use, you can just accept the default.

If you don’t enter a pass phrase here, you will be able to log into remote hosts from your local host without entering any sort of password. Unfortunately, this means that the only security on the accounts are your ability to keep people from getting copies of the private key file and if someone is logged in as you, they can access your remote accounts. This is usually regarded as highly bad, but some people take that risk for convenience’s sake (or optimism.)
One important step to securing things is to remove other’s permission to read and write to your keyfiles. Assuming that they’re created in the directory ~/.ssh, execute this command:

chmod -R go-rwx ~/.ssh

This will make sure that other people on your machine can’t get access to it without accessing your credentials in some fashion.

Next up, log into your remote machine and make a directory for ssh to store its keys in. For the sake of clarity, we’ll bold all commands that are supposed to be executed on the remote machine.

mkdir ~/.ssh

After that, copy the key from your local machine to the remote machine:

scp ~/id_rsa_pub yourloginname@yourdomain.com:.ssh/authorized_keys

Then make the files readable only by you on the remote server.

chmod -R go-rwx ~/.ssh

If you end up needing to authorize multiple machines to log into a remote machine, make a keypair on each of the machines, and then copy all the public keys into one big long file. The way I do this is to copy all of the public keys to the remote machine, and then cat them together locally to make a authorized_keys file.

So, on each local machine, do:

scp ~/id_rsa_pub yourloginname@yourdomain.com:.ssh/id_rsa_pub_machinename

Then cat the files together into the authorized_keys file and secure the directory

cat ~/.ssh/id_rsa_pub_* > ~/.ssh/authorized_keys

chmod -R go-rwx ~/.ssh

Then you should be able to log into machines by entering just the passphrase on your local machine and not the remote password. If you have created an empty passphrase, you’ll be able to log on using ssh and only the two files in the keypair will be used to authenticate you.

There is a way to get ssh working so you only have to enter your password once, you do this by using ’ssh-agent,’ and instructions on how to do so are available here. For Windows, putty has its own instructions on how to do this, and on MacOSX, a great program that integrates all of this into the Mac’s platform security is SSHKeychain. Roughly 80% of all problems with ssh-agent are because the environment variables aren’t set right. If you’re running tcsh or csh, start ssh-agent with “`ssh-agent`” (including the backquotes), if you’re using bash, start ssh-agent with “ssh-agent bash”. If you’re using MacOSX, you’re running bash. If you have no idea, type “ps -a” and look for occurrences of tcsh, csh, or bash.

Anyway, that’s how I set it up to work, and hope this works for you. If you have any questions, contact me.

1 comment

Comments feed for this article

Trackback link

http://www.corprew.org/content/ssh-no-remote-password-login/trackback/

2007 January 11 at 4:34 pm

Pingback from corprewland » ssh, secure logins, no remote passwords, and other network security goodness

For all the librarians out there

Title Bar off screen Mac OS X

me; previous days

me; these days

InfoCamp: We’re revolting people.