Monday, June 9, 2008

SSH login without using passwords

How to set up ssh login from a client to a server without needing to enter a password:

This is useful when you're scripting something that needs to do an ssh command. I rarely do this since I don't have much use for it, but recently I set up Synergy between my laptop and desktop computers. Synergy doesn't have built-in security, rather, the Synergy docs suggest using ssh port forwarding for security. Mostly, security probably isn't necessary for Synergy since odds are you're already on a private network. However, at work, there are a couple of people who like to screw with others just for fun, so I set up Synergy securely. I want to have Synergy just turn on at startup and not be bothered with stopping to enter a password to access a trusted machine.

In this case, I'll call the machine running the Synergy server the "server" and the machine running the Synergy client as the "client". This is a general how-to, that is, it's not just for Synergy. You can use these instructions for any ssh command that you don't want to enter a password for.

Here are the steps:

* Note: see the problems listed below. You might save some time by running ssh-vulnkey before doing these steps.

1. On the client, create a ~/.ssh directory if you don't have one already.
2. cd ~/.ssh
3. Run ssh-keygen to create rsa and dsa keys:

ssh-keygen -t rsa
ssh-keygen -t dsa

When prompted for a passphrase, just hit Enter. I don't want to be prompted for a passphrase either.

4. Copy your keys to the server:

cat | ssh username@server 'cat >> .ssh/authorized_keys'
cat | ssh username@server 'cat >> .ssh/authorized_keys'

This appends your client keys to the existing authorized_keys file on the server, or creates the file if it doesn't already exist.

That should be all that is necessary. Try to ssh into the server, with any luck, you'll get in without entering a password.

There are potentially a few problems:

1. Permissions are too liberal on the server .ssh directory and files. Try this:

cd ~/.ssh
chmod -r 600 *

2. Your keys might be blacklisted. Run ssh-vulnkey on the client. If the output shows your keys as blacklisted, you'll need to upgrade your ssh. This is due to a known vulnerability in recent versions of OpenSSH. On Ubuntu, I just ran the update-manager and followed the instructions. You'll need to delete the id_* files you created above:

cd ~/.ssh
rm -r id_*

Then start over.

No comments: