egrath
8th November 2010, 05:03 PM
Public Key Authentication
When your Network has more than one Linux based system and you are the kind of guy who likes to do the administration on the command line it would be welcome if you can connect to other systems without entering the password every time.
Exactly for this, there's a solution available for SSH – it's called “Public Key Authentication” and works the following way:
1. On each Host, the desired user has a Key (which itself consists of a Private and Public Key)
2. On each other Host the Public Key from (1) is added to a list of allowed Keys
3. Whenever a user logs in to another Host using ssh the server checks to see if the users Public Key is in the list (2) and if it matches the private Key of the user.
The above may sound a little bit complicated but it's not hard to set up a environment in this way.
Step 1: Make sure SSH is running on your System
OpenSSH is installed per default on Fedora 14, but the SSH Daemon is disabled by default. To enable it, open a root-terminal and enter:
chkconfig --level 235 sshd on
service sshd start
By default the Firewall blocks incoming SSH connections (Port 22). Run “system-config-firewall” to check the “SSH” Service, then press “Apply” and “Reload”. Answer the following question with “Yes”
Step 2: Generate the SSH Keys on each Host
Now it's time to generate your Keys. Perform this step with the user you use for your daily work – in my example the user is called “er” (the two hosts used for this example are “nelson” and “blackwood”)
ssh-keygen -b 2048 -C "SSH Keys for User er@nelson" -f ~/.ssh/er_nelson -N ""
When finished you have created two new files, located in the ~/.ssh directory:
er_nelson
er_nelson.pub
The one without an extension is the private key and is not meant to be distributed across the network. Keep it secret. The other one is the public key which we will use later.
Because the “ssh” command is by default looking for other files when using Public Key authentication we want to add an alias to use our files. Put the following line in your ~/.bash_profile or ~/.bashrc (depends on wheter you are using a login shell or regular one; use ~/.bashrc when you don't know):
alias ssh="ssh -i ~/.ssh/${USER}_`hostname -s`"
One may ask why we don't use the default names and have to tamper with an alias to make things work. It's because the default files are named “identity” and “identity.pub” - but we want to know to which user our Keys belong just by looking at the filename.
This step needs to be performed at every host you want to make part of the trust relationship.
Step 3: Make the Hosts trust each other
If there's not already a terminal open, open up one. Then run the following command (read below before starting!):
ssh blackwood cat ~/.ssh/er_nelson.pub >> ~/.ssh/authorized_keys
Before running this command, replace it according to your environment – replace “blackwood” with the name of your other host and “er_nelson” with the filename you created at step (2). Repeat it for every host you include in the trust relationship.
When finished you'll ended up with a ~/.ssh/authorized_keys which contains every public key you created on your different hosts. To make the hosts trust each other, just copy this file to each other host:
scp ~/.ssh/authorized_keys blackwood:~/.ssh/
As before, replace “blackwood” with the name of your other host and repeat it for every host on your trust relationship.
Step 4: Testing it out
Now that every user has it's own Key on each host and is trusted on every other host you should be able to do ssh logins without the need of entering a password.
When your Network has more than one Linux based system and you are the kind of guy who likes to do the administration on the command line it would be welcome if you can connect to other systems without entering the password every time.
Exactly for this, there's a solution available for SSH – it's called “Public Key Authentication” and works the following way:
1. On each Host, the desired user has a Key (which itself consists of a Private and Public Key)
2. On each other Host the Public Key from (1) is added to a list of allowed Keys
3. Whenever a user logs in to another Host using ssh the server checks to see if the users Public Key is in the list (2) and if it matches the private Key of the user.
The above may sound a little bit complicated but it's not hard to set up a environment in this way.
Step 1: Make sure SSH is running on your System
OpenSSH is installed per default on Fedora 14, but the SSH Daemon is disabled by default. To enable it, open a root-terminal and enter:
chkconfig --level 235 sshd on
service sshd start
By default the Firewall blocks incoming SSH connections (Port 22). Run “system-config-firewall” to check the “SSH” Service, then press “Apply” and “Reload”. Answer the following question with “Yes”
Step 2: Generate the SSH Keys on each Host
Now it's time to generate your Keys. Perform this step with the user you use for your daily work – in my example the user is called “er” (the two hosts used for this example are “nelson” and “blackwood”)
ssh-keygen -b 2048 -C "SSH Keys for User er@nelson" -f ~/.ssh/er_nelson -N ""
When finished you have created two new files, located in the ~/.ssh directory:
er_nelson
er_nelson.pub
The one without an extension is the private key and is not meant to be distributed across the network. Keep it secret. The other one is the public key which we will use later.
Because the “ssh” command is by default looking for other files when using Public Key authentication we want to add an alias to use our files. Put the following line in your ~/.bash_profile or ~/.bashrc (depends on wheter you are using a login shell or regular one; use ~/.bashrc when you don't know):
alias ssh="ssh -i ~/.ssh/${USER}_`hostname -s`"
One may ask why we don't use the default names and have to tamper with an alias to make things work. It's because the default files are named “identity” and “identity.pub” - but we want to know to which user our Keys belong just by looking at the filename.
This step needs to be performed at every host you want to make part of the trust relationship.
Step 3: Make the Hosts trust each other
If there's not already a terminal open, open up one. Then run the following command (read below before starting!):
ssh blackwood cat ~/.ssh/er_nelson.pub >> ~/.ssh/authorized_keys
Before running this command, replace it according to your environment – replace “blackwood” with the name of your other host and “er_nelson” with the filename you created at step (2). Repeat it for every host you include in the trust relationship.
When finished you'll ended up with a ~/.ssh/authorized_keys which contains every public key you created on your different hosts. To make the hosts trust each other, just copy this file to each other host:
scp ~/.ssh/authorized_keys blackwood:~/.ssh/
As before, replace “blackwood” with the name of your other host and repeat it for every host on your trust relationship.
Step 4: Testing it out
Now that every user has it's own Key on each host and is trusted on every other host you should be able to do ssh logins without the need of entering a password.