Skip to main content

Passwordless SSH logins

There are a few cases where having passwordless access to a machine is convenient or necessary. I'm always looking up a series of commands that I can just copy and paste to do it right quick. Here they are.
  1. Generate your key pair - One of the login modes of ssh is to use a SSH key pair. A key pair is made up of both a private and a public key. The private key is kept on your local machine while your public key is what you distribute to all the machines you want to log in to. There are a few flavors of keys you can generate, rsa1 (for SSH1), dsa (SSH2), or rsa (SSH2). According to my IT guy he likes DSA. You can (and should) associate a password with your key pair, so that only you can use it even if someone else manages to gain access to your account. If you have more than one key pair, using the same password for all key pairs will make them all active at the same time. You can also vary the number of bits used for the key. The more bits you use the harder it will be to crack, but I believe at a nominal performance drop. I was recommended to use 2048 bits. Very well, 2048 bit DSA key it is. 
    ssh-keygen -t dsa -b 2048
# Type in strong password
    If for some reason you need an rsa key, you can just replace the type with the appropiate argument, -t rsa or -t rsa1. NOTE: You need to make sure the permissions of the files in this directory are set to allow read/write for the user only (-rw------- or chmod 600 *). The most important files to do this for are the authorized_keys and private keys files. Sometimes logging in will silently fail if you don't have the permissions set correctly.
  2. Copy public key to remote machine - Once you made your key pair, you should copy your public key to the remote machine preferably using an encrypted method such as scp and add it to your .ssh/authorized_keys file. You can do this with a single command. 
    cat ~/.ssh/id_dsa.pub | ssh user@remote.machine.com 'cat >> .ssh/authorized_keys'

# If you need to make a .ssh directory on the remote machine
cat ~/.ssh/id_dsa.pub | ssh user@remote.machine.com 'mkdir .ssh; cat >> .ssh/authorized_keys'
  3. SSH Agent - Now that you have a pair, you can try logging into the remote machine as you normally would. You will be prompted for your key pair password. If you left it blank when you created your keys you may simply press enter (and SHAME on you). If you press enter at this point and you had a password you will then be prompted for your remote account password. You can avoid having to do this by using ssh-agent. This will allow you to type in your password for the key pair once on a given machine and reuse it over and over again. ssh-agent stores information about your keys in the memory of that system, so if you move to another system or the machine is rebooted you will have to run ssh-agent again. ssh-agent also will output some environment variables that you can use to gain access to the keys in memory. I have a couple of aliases that help me out with this. One thing to consider is adding a time limit to how long your keys will be active in memory. If you want them to last for only a day you can add -t 86400 (those are seconds) to your ssh-agent command. 
    # For tcsh

# Activates the key pairs and stores some helper files.  Run this once per
# machine you want to log from.

alias agent 'rm -f "$HOME"/.ssh/`hostname`.agent ; ssh-agent -t 86400 | grep -v echo > "$HOME"/.ssh/`hostname`.agent ; source "$HOME"/.ssh/`hostname`.agent ; ssh-add'

# Run this in any shell after 'agent' to "activate" the keys.

alias sshagent 'if (-e "$HOME"/.ssh/`hostname`.agent) source "$HOME"/.ssh/`hostname`.agent ; endif'

# For bash

alias agent='rm -f "$HOME"/.ssh/`hostname`.agent ; ssh-agent -t 86400 | grep -v echo > "$HOME"/.ssh/`hostname`.agent ; source "$HOME"/.ssh/`hostname`.agent ; ssh-add'
alias sshagent='if [ -e "$HOME"/.ssh/`hostname`.agent ]; then source "$HOME"/.ssh/`hostname`.agent ; fi'
    Now you should simply be able to run agent once on the machine, and then sshagent once per shell. You can then log into the remote machine without having to type in a password. If your ssh agent expires (you'll know, because you'll be propted for your password), then run agent again.
  4. Root access - You can also give users the ability to log into the machine as root without having to give the root password out. Just add the users public key to list of root's authorized_keys, and then the user can log into the machine using root as the user name. 
    # Admin does
cat ~user/.ssh/id_dsa.pub | ssh root@remote.machine.com 'cat >> .ssh/authorized_keys'

# User does
agent
sshagent; ssh root@remote.machine.com

# Or by typing the key pair's password
ssh root@remote.machine.com
    It is recommended that once you have the ability to log in remotely as root with keys, you should disable password-based logins via ssh by making sure the following line is in /etc/ssh/sshd_config: 
    PermitRootLogin   without-password
Labels:

Comments

Post a Comment

https://gengwg.blogspot.com/

Popular posts from this blog

CKA Simulator Kubernetes 1.22

  https://killer.sh Pre Setup Once you've gained access to your terminal it might be wise to spend ~1 minute to setup your environment. You could set these: alias k = kubectl                         # will already be pre-configured export do = "--dry-run=client -o yaml"     # k get pod x $do export now = "--force --grace-period 0"   # k delete pod x $now Vim To make vim use 2 spaces for a tab edit ~/.vimrc to contain: set tabstop=2 set expandtab set shiftwidth=2 More setup suggestions are in the tips section .     Question 1 | Contexts Task weight: 1%   You have access to multiple clusters from your main terminal through kubectl contexts. Write all those context names into /opt/course/1/contexts . Next write a command to display the current context into /opt/course/1/context_default_kubectl.sh , the command should use kubectl . Finally write a second command doing the same thing into ...
Post a Comment
Read more

OWASP Top 10 Threats and Mitigations Exam - Single Select

Last updated 4 Aug 11 Course Title: OWASP Top 10 Threats and Mitigation Exam Questions - Single Select 1) Which of the following consequences is most likely to occur due to an injection attack? Spoofing Cross-site request forgery Denial of service   Correct Insecure direct object references 2) Your application is created using a language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? Injection   Correct Insecure direct object references Failure to restrict URL access Insufficient transport layer protection 3) Which of the following scenarios is most likely to cause an injection attack? Unvalidated input is embedded in an instruction stream.   Correct Unvalidated input can be distinguished from valid instructions. A Web application does not validate a client’s access to a resource. A Web action performs an operation on behalf of the user without checkin...
2 comments
Read more