Walker News

Auto SSH Login By Using Public-key Cryptography

Auto SSH login or password-less SSH login is the answer to replace those legacy rlogin and rcp protocols that are without encryption feature.

Thus, password-less SSH login is extremely useful in writing secured shell scripts that need to automatically (non-interactively) login remote server and then initiates file transfer or trigger some other commands.
How to setup non-interactive or password-less SSH login in Linux?
SSH server supports two modes of authentication where remote SSH client could be authenticated via legacy system login ID and password or with the public-key cryptography method (that provides non-interactive or password-less SSH login capability)

Assumption made for this example:
  • System user walker-a at Linux server WalkerNews-A needs a password-less, non-interactive SSH login to walker-b at Linux server WalkerNews-B.
     
  • Both Linux servers are running on RHEL 4 update 5 bundled with openssh-server-3.9p1-8.RHEL4.1 and openssh-clients-3.9p1-8.RHEL4.1

At WalkerNews-A Linux command prompt:
  • Execute ssh-keygen -t dsa to create a pair of DSA-based public key and private key for SSH public-key cryptography authentication.
    WalkerNews-A [/home/walker-a]$ ssh-keygen -t dsa
    Generating public/private dsa key pair.
    Enter file in which to save the key (/home/walker-a/.ssh/id_dsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/walker-a/.ssh/id_dsa.
    Your public key has been saved in /home/walker-a/.ssh/id_dsa.pub.

    First, ssh-keygen prompts user to specify a path to save the generated key. You can simply accept the default path by pressing ENTER key.

    When comes to enter passphrase (password to decode the keys), again just press ENTER key to accept the default value, i.e. empty for no passphrase. Additional steps are required for password-less SSH login, if a passphrase is entered to secure the keys (I should cover this in next post for clarity).
     
  • Now, copy the generated public key (i.e. /home/walker-a/.ssh/id_dsa.pub) to walker-b home directory at WalkerNews-B.

At WalkerNews-B Linux command prompt:
  • Create a .ssh (hidden directory) in walker-b home directory (if it’s not currently exist) and make sure the directory access mode set to 700. E.g.
    mkdir .ssh
    chmod 700 .ssh
  • Create a text file called authorized_keys in $HOME/.ssh directory (if the file is not currently exist) and make sure this file access mode is restricted to 600. E.g.
    cd $HOME/.ssh
    touch authorized_keys
    chmod 600 authorized_keys
  • Append the walker-a’s public key (id_dsa.pub) to the authorized_keys file. E.g.
    cat $HOME/id_dsa.pub >> $HOME/.ssh/authorized_keys

Now, back to walker-a at WalkerNews-A, each of the subsequent ssh or scp connection initiated here to walker-b at WalkerNews-B will be automatically authenticated via public-key cryptography, i.e. without having to interactively enter password.

For example, login as walker-a at WalkerNews-A and execute these at Linux command prompt:
  • ssh walker-b@WalkerNews-B will get ssh automatically login as walker-b at WalkerNews-B, without entering a password. (The insecure legacy protocol to accomplish this task is called rlogin)
     
  • scp sourcefile walker-b@WalkerNews-B:temp/new.log will get scp automatically transfer sourcefile to walker-b’s $HOME/temp directory and saved with a new file name as new.log. (The insecure legacy protocol to accomplish this task is called rcp)

If you would like to troubleshoot or understand the SSH public-key cryptography authentication processes, specify the verbose option switch (-v) in ssh command:

ssh -v walker-b@WalkerNews-B

Custom Search

  1. Where Does Putty Keeps SSH Host Key Fingerprint In Windows Registry? – Walker News 21-07-08@00:39

    […] connecting to remote SSH server for the first time, Putty suite will prompt user to acknowledge acceptance of the remote […]

  2. Now I Can SSH To Gmail Server And Read Email In Text Terminal! – Walker News 23-11-08@21:39

    […] the first time, you can now make a SSH connection to Gmail server and read email in text console, if you are never happy with the graphical user […]

  3. pradeep singh 07-03-09@17:30

    i am doing RHCSS

  4. How To Fix “Server Refused Our Key” Error That Caused By Putty Generated RSA Public Key? 22-03-09@16:16

    […] 22 Mar 2009 16:16 The SSH-2 protocol supports few user authentication types, one of which is public-key cryptography. Other than security benefit, using public-key cryptography in SSH protocol is relatively easier […]

2014  •  Privacy Policy