Navigation
passwordless ssh logins
Use certificates instead of passwords for passwordless ssh logins
This is pretty old news, but SSH can use certificates instead of passwords to log you in. This can make life a lot easier, especially when you need to connect to a lot of different ssh servers. It can also improve security, as users wont be scribbling passwords down. On top of this, its pretty easy to set up as well:
local$ ssh-keygen -trsa
This will ask where you want to save the file, just press enter to accept the default home/username/.ssh/id_rsa. It will then ask for a password. DONT LEAVE THE PASSPHRASE BLANK! There are a lot of howtos floating about suggesting that you use blank passphrases, in 99% of cases this is really stupid. With a blank passphrase, ANYONE can use that key and log in to ANY of the servers that will accept it without being asked for any authentication. You may want to use it for a script so you dont have to leave your password in a script somewhere, but there are ways around this, like using ssh-agent (more on that later). Put in a passphrase, this can be anything: think of a line from a random song and change it a bit, whatever works for you, length beats compexity! (google for password complexity vs length and see why, or read this). This will create 2 files:
id_rsa - your private key file
id_rsa.pub - your public key file
If
you can, its a good idea to also add a from= line to your pubkey. This will limit where you can connect from, so if you will only be connecting from office A, then put it in at the beginning of the pubkey file.
local$ cat ~/.ssh/id_rsa.pub
from="officea.trusted.tld" ssh-rsa AJh32....{snip}
Now we copy the public key over to the server(s) we need to connect to:
ssh remote.server.somewhere < ~/.ssh/id_rsa.pub 'cat >> .ssh/authorized_keys'
Now test it, try and ssh to the server again, and it should ask you for your passphrase for id_rsa, enter that and you should be in. If it fails, make sure the permissions on the remote ~/.ssh/authorized_keys is 0500 or 0700. (remote$ chmod 700 ~/.ssh/authorized_keys) This can
also be a pain in the ass when you need to connect often, so in comes ssh-agent to make things a bit easier. If you are using ubuntu, you probably have ssh-agent running already (check in /etc/X11/Xsession.options for "use-ssh-agent", if its not in there, add it). If you are using another distro it may be slightly different. A quick fix is to just add this to your crontab:
local$ crontab -e #Opens up a text editor
@reboot ssh-agent -s | grep -v echo > $HOME/.ssh-agent
This works on a lot of different distros, but you could also use keychain.
Try running "ssh-add", if ssh-agent is available, you will be asked for your passphrase, and once you have entered it, it will remember it for a certain time (if it forgets too soon, you can add a -t[number of seconds]) to that command to increase the cache time. There are also some aliases you can add to your .bashrc file to make it even easier:
alias keyon="ssh-add -t 10800" alias keyoff='ssh-add -D' alias keylist='ssh-add -l' alias keylock='ssh-add -x' alias keyunlock='ssh-add -X'
This makes sure you are logged on locally (we dont want it running from a remote shell), then sources the ssh-agent details and adds some aliases. Type keyon to "turn on" your key, keyoff to "turn off",keylist to list currently open keys, and keylock/keyunlock to lock or unlock your key temporarily with a password.
You can now log in to all your remote boxen with a simple "keyon" and then ssh to them, no password required.
Since we aren't doing passwords here, you may want to remove the ability to log in with them from the server (just dont loose your key)
remote$ sudo vi /etc/ssh/sshd_config PasswordAuthentication no #This will disable password authentication for sshd
Once you have saved that, reload the ssh server with sudo /etc/init.d/ssh reload. Try to log in now, and you will probably get an error saying something like Permission denied (publickey).
