Linux Setup for SSH Password Less Login.

There are many times when I do not want to always keep typing in passwords to log into local servers. Not only that, I do not want to be typing passwords when people are watching.  If you run a primarily linux network like I do then this can be a real boon to your use of the systems not to have to do the traditional login. So we will need a way to authenticate to the systems we want to use..

There was traditionally two kinds of authentication. RSA and DSA. RSA should not be used any more.  Public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines.

Note: you will need to be able to use the command line/terminal for this project.

Note: For both the server and the client port 22 should be changed to some number above 1024 that is an unused port.  Both numbers must be the same unless you are an advanced user,  Other settings should be changed as well. (i.e. disable root access)

$ sudo vim /etc/ssh/sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22

The nmap command is a good way remotely to determine what ports are being used. You may like this instructable also:  https://www.instructables.com/id/Linux-screen-play/

#1 machine : Client machine with ssh installed

$ sudo apt-get update
$ sudo apt-get install ssh

#2 machine : A remote server with ssh and openssh-server

$ sudo apt-get update
$ sudo apt-get install ssh openssh-server

Note: I usually add openssh-server to all machines except those I do not want there to be ssh access.

Step #1: Generate DSA Key Pair

Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:

Enter file in which to save the key (/home/usernane/.ssh/id_dsa):  Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 username@username-desktop

Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.

Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 700 .ssh

Update note: Must have been thinking about wev serverdirectory  permissions 755 s/b 700.t

Copy public key.

Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server as ~/.ssh/authorized_keys. The command scp is an ssh based  network file copy command and it will copy your public key file in this step. (you will be asked your your password on the server to log in.
$ scp ~/.ssh/id_dsa.pub user@server:.ssh/authorized_keys


Note: You can get to the calculator from here:
http://www.onlineconversion.com/html_chmod_calculator.htm

Now that you have the public key copied over to the server, you need to move it to the right place.
What you just did frim the client machine.

$ scp ~/.ssh/id_dsa.pub user@bennjerrys:.ssh/authorized_keys

Warning: If you already have an authorized_keys file this will write over it. (safer way)

From client machine
$ scp ~/.ssh/id_dsa.pub user@bennjerrys:.
Server side.
$ catid_dsa.pub >> .ssh/authorized_keys

Change permissions so only you can see and access it.

$ chmod 600 ~/.ssh/authorized_keys


Note: An authorized_key file (no "s" at the end)  is for the old rsa keys.

So you do not have to enter in a passphrase:

Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add

From the command line you could use:

$ ssh user@servername

or

$ ssh user@remote-server.com

or

$ scp file user@servername:/tmp

Now if you try to logon in from the client to get to a share, you should not get a second password window.

Tada!!

#!/bin/bash
#
## USAGE: add_to_server.sh remote_server
#
## This script will add your ssh dsa public key to remote_server's authorized_keys list,
## assuming that everything is in it's default location
#
set -v 				# verbose output
username="USERNAME"		# CHANGE ME!!!!
remote_server=$1		# assigns the first commandline argument to $remote_server
#
#
## Pipe the public key to ssh, then remotely touch the file to make sure it will be there, and concat to the end of it.
## Might work without the touch?
cat ~/.ssh/id_dsa.pub | ssh ${username}@${remote_server} "touch ~/.ssh/authorized_keys && cat - >> ~/.ssh/authorized_keys"
#
exit 0
[/code]

One of the things most people hate to do is to type in passwords. Not only could someone be looking over your shoulder, but also the password gets sent where it can be easily monitored. There has to be a better way. A method very much used on 'nix systems (including OS/X) is called the 'secure shell' (ssh for short). You can actually use it on Microsoft systems also, but it requires more than usual extra setup.

$ ssh typo1

password: _

Anyway, if you are setting up a new system and or recovering from a hard disk crash, setting up the ssh keys to all the servers or systems you log into can be a lot of fun. There had to be a way of automating this process.  The process is usually just three steps. Copy your key to the new server, adding the key to the authorized_key files, and then lastly removing the copied key if need be. So let's make a batch file to take care of this.

Installkey.sh

[code]

# invoke with ./Installkey.sh servername

# copy the key

scp .ssh/id_dsa.pub $1:~/.

# install the key
ssh $1 'cat id_dsa.pub >> .ssh/authorized_keys'

# remove the public key you just copied
ssh $1 'rm ~/id_dsa.pub'

[/code]

Save it to an ascii file.

Enable the shell file

$ chmod +x  Installkey.sh

Run the code:

$ ./Installkey.sh typo1

Now you should be able to log into the server without typing a password.

$ ssh typo1
Linux typo1 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Debian comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

                     /)
          o                 /' )
                           /'   (                          ,.
                        __/'     )                        .' `;
         o      _.-~~~~'          ``---..__             .'   ;
           _.--'  b)                       ``--...____.'   .'
          (     _.      )).      `-._                     <
           `\|\|\|\|)-.....___.-     `-.         __...--'-.'.
            `---......____...---`.___.'----... .'         `.;
                                            `-`             `

   This machine is for the exclusive use of OE.
   Anyone attempting to gain, or gaining access other
   than as specifically authorized will be prosecuted
   under all applicable statutes plus all applicable
   civil rules for damages.

   ------------------------------------------------------------------------
You have mail.
Last login: Sun Aug 19 05:15:37 2012 from oedt01
$ _

But then I thought, what I need to do a bunch of servers, even that could be tedious. So let's add some more code. First we need to make a list of the servers we want to update and save them to a file.

servers:

[data]

typo1

oesrvr1

...

[/data]

Now we need to use the original code and add a routine to read the server names from a file. That allows us to just type in one command and do all the servers. If we need to add a new server to the list, you just add it to the servers file. One bit of caution is that if you have run the program before, you do not need to do it again on prepared servers. Rename the existing servers file and start a new servers file.

srvrsshupdate.sh:

[code]

[/code]

Alternative code:
[code]

# invoke with ./Installkey.sh servername

# set up the .ssh dir if it does not exists
DIRECTORY=",ssh"
ssh $1 'if [ ! -d "$DIRECTORY" ];  then  mkdir $DIRECTORY ;chmod 700 $DIRECTORY ; fi'

# copy the key
scp $DIRECTORY/id_dsa.pub $1:~/.

# install the key
ssh $1 'cat id_dsa.pub >> $DIRECTORY/authorized_keys'
ssh $1 'chmod 600 $DIRECTORY/authorized_keys '

# remove the public key you just copied
ssh $1 'rm ~/id_dsa.pub'


[/code]

Enable

$ chmod +x srvrsshupdate.sh

 Run it