SSH Private-Public Key Pair Login
Everyone would agree with the fact that SSH is the most widely used remote access protocol used in Linux based operating systems. The primary reason behind the popularity of SSH is, it utilizes one way encryption, supports many encryption algorithms as well as pre-shared keys for authentication.
There are a couple of remote file sharing software that rely on SSH for protection like SCP, SFTP, RSYNC. Among them, RSYNC is really popular for taking backups. But because RSYNC to a remote host relies on SSH, and SSH prompts for a password, automating the backup process cannot be done with default settings. Here is where private-public key pair kicks in to save the day. With the help of the key pair, it is possible to utilize SSH to a remote host without using passwords.
The methodology is pretty simple.
- HostA generates a private and public key pair.
- While generating the pair, no passphrases are used because the objective is to enable SSH without passwords.
- HostA shares the public key with HostB.
- When HostA tries to connect to HostB using ssh, HostA provides information from the private key stored in HostA. This information is matched with the previously shared public key stored in HostB.
- If everything goes fine, a user from HostA is able to connect to HostB.
Objective:
The root user at host firefly (192.168.1.3) should be able to login to host spider (192.168.1.2) using SSHwithout providing passwords.
Phase 1:
root@firefly:~# ssh-keygen -t rsa
DSA or RSA can be used, but RSA is more secured. The configuration of RSA and DSA is identical (only the filename is different)
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Here, we have entered blank passphrase because we want to enable SSH login without passwords.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
56:0c:7b:b1:9d:7c:2b:db:d6:27:7b:6b:94:e1:b9:cf root@firefly
The key's randomart image is:
+--[ RSA 2048]----+
| . . |
| + = . |
| . = + . |
| o . o |
| S . o +|
| . + * |
| . = +|
| . *o|
| ooE|
+-----------------+
The pair of keys is now generated. The private key is named id_rsa and the public key is id_rsa.pub.
root@firefly:~# ls -l /root/.ssh/
total 20
-rw------- 1 root root 1679 Dec 21 18:57 id_rsa
-rw-r--r-- 1 root root 394 Dec 21 18:57 id_rsa.pub
-rw-r--r-- 1 root root 1326 Dec 20 11:12 known_hosts
One thing should be kept in mind. SSH is very sensitive about the file ownership and permissions. Make sure that the permissions are like properly set.
Phase 2:
Now, the id_rsa.pubfile needs to shared with the host spider.
root@firefly:~# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.1.2
root@192.168.1.2's password:
Now try logging into the machine, with "ssh 'root@192.168.1.2'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
During this process, this happens
- The content of the file id_rsa.pub file is transferred to spider (192.168.1.2).
- The content is stored in the file ~/.ssh/authorized_keys
- Anytime a public key is shared, the information is appended the file authorized_keys.
Time to check whether it works or not =?
root@firefly:~# ssh 192.168.1.2
Linux spider 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 21 16:15:41 2011 from 192.168.1.3
root@spider:~#
Well, guess what? It works :)
Last piece of information, as stated earlier, SSH is really sensitive about ownership and permissions. So make sure that the permissions are correct.
root@spider:~# ls -l .ssh/
total 16
-rw------- 1 root root 394 Dec 21 18:58 authorized_keys
-rw-r--r-- 1 root root 2210 Dec 20 12:21 known_hosts
Hope it helps. ^_^
0 comments:
Post a Comment