Tuesday, December 24, 2013

OpenSSH keys setup for password less authentication for ssh, sftp, scp etc.

Make OpenSSH keys for password less authentication for ssh, sftp, scp etc.

Create OpenSSH keys as a user.

1. Please Log in to source server (SOURCE1) as the user (pniraj) you will be using the keys for.
2. Check to see if there is a public key there already:
SOURCE1>$/home/pniraj>cd .ssh
SOURCE1>$/home/pniraj/.ssh>ls -al
total 48
drwx------   2 pniraj   pnirajgrp        256 Mar 21 23:50 ./
drwxr-xr-x  11 pniraj   pnirajgrp       8192 Mar 21 13:39 ../
-rw-r--r--   1 pniraj   pnirajgrp        796 Mar 22 10:04 authorized_keys
-rw-------   1 pniraj   pnirajgrp       1671 Mar 21 23:50 id_rsa
-rw-r-----   1 pniraj   pnirajgrp        399 Mar 21 23:50 id_rsa.pub
-rw-r--r--   1 pniraj   pnirajgrp       2014 Mar 22 09:44 known_hosts

Important Note: if files id_rsa, id_rsa.pub exists then do not generate new keys

3. Only if the .ssh directory does not exist, or if the the file id_rsa and id_rsa.pub do not exist, then type “ssh-keygen” and accept the defaults. No need to type a password.

SOURCE1>$/home/pniraj> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pniraj/.ssh/id_rsa):
Created directory '/home/pniraj/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pniraj/.ssh/id_rsa.
Your public key has been saved in /home/pniraj/.ssh/id_rsa.pub.
The key fingerprint is:
0f:21:c9:70:be:9a:36:fa:e1:04:4a:ea:5e:6f:98:63

4. This will create your key files
SOURCE1>$ ls -l
total 24
-rw-------   1 pniraj staff          1671 Feb 24 15:40 id_rsa
-rw-r--r--   1 pniraj staff           398 Feb 24 15:40 id_rsa.pub

5. Use cat to get your public key.  Note: this is a single line, may not look like it, but it is and has to be.

/home/pniraj>$cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4XPgwlGdU5WBkNwUw2TzESY1jw9brCO33h5Lh306c5U/HGXHmM9ReKs9Cwqm5BAX2+qYNjxWAKSXb2+O18zrcGTY+gDWc/XaKovmCsHEeOq8JIteW6yf2BrKo0OfX4I8cPNgY2xHyplD86GOis026d0zxA6KJz6EZf1zllXzG+IVapkemc/QeLRiE89GMKqnwKZieez69Y+6PpT5KwQTomaXWjCRBQgpsEiIhOfAFs8q1TxibUbppoeM3jMj5M0sWG52Q== pniraj@SOURCE1

6. This text has to be copied in to a file called authorized_keys in the users ~/.ssh directory on the target server TARGET1.

7. Connect to the target server TARGET1 as the same user pniraj.
SOURCE1> ssh TARGET1
The authenticity of host 'TARGET1 (10.6.5.92)' can't be established.
RSA key fingerprint is 63:fe:10:d1:7a:43:65:e0:35:cf:eb:79:41:45:a4:e7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'TARGET1,10.6.5.92' (RSA) to the list of known hosts.
pniraj@TARGET1's password: (type in the users password here)

8. Again test to see if a public key exists:
TARGET1>$cd .ssh
TARGET1>$ls -al
total 48
drwx------   2 pniraj   pniraj        256 Mar 21 23:50 ./
drwxr-xr-x  11 pniraj   pniraj       8192 Mar 21 13:39 ../
-rw-------   1 pniraj   pniraj       1671 Mar 21 23:50 id_rsa
-rw-r-----   1 pniraj   pniraj        399 Mar 21 23:50 id_rsa.pub
-rw-r--r--   1 pniraj   pniraj       2014 Mar 22 09:44 known_hosts

9. Again only if the .ssh directory does not exist, or if the the file id_rsa and id_rsa.pub do not exist, then type “ssh-keygen” and accept the defaults. No need to type a password.

10. Change directory to ~/.ssh
TARGET1>$ cd ~/.ssh
TARGET1>$ pwd
TARGET1>$/home/pniraj/.ssh

11. Cat the id_rsa.pub file to get the public key from SOURCE1 server
Paste that key in the authorized_keys file from step 5 on Target TARGET1 server. Be sure that it is all on one line and there are no blanks lines following the key. The rule is one key per line.
SOURCE1>cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4G8HtHKwRSN2dWYv9/lpUBNjPrR7Pw2BJ5Mxraq2Pa3mZsLzO6pXSq/tBVN/s9upEe0T8LIZJJ9M40FR0RDncB5yXwW6T+dML+1bIlcag31o8OMqBS1+6VR
+sONgnWYSFiIJ2RyVHcZVd4GIDhSFdTb4/qNZ804is4rNS2AkRvo30VvhB3QVTFuGOO1rdBNnBv8WqhwvYmgFKQJQtcNEQGepKYrvp8U7PjrEJjhGvUdX+TBl1l3saYJub7UB42cAM+INpaZeIscT/Ujtgj3l727O3jPx7ed7STsNb/WshrKc2+N6R/UF74tkpdAzzAG4t4WXvA4iSdqeS98olTsAjQ== pniraj@SOURCE1

TARGET1>vi authorized_keys
(you can use your favorite editor here, when done you should be able to see the new key in the file cut and paste in the key from `cat id_pub.rsa)

TARGET1>cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6I0tmsbDh7o7uDDvg/IQYODVT48xEfh1LKQULiPq4CpXknMF+nDDm6Yb63z6jF6rPrQkUIOLCQzWh7erR2JvdWjH94UBQrsoAGJJKuEp9lnedOd7OPG17Ao3n+BXsk4AsaeehJTuZV4iKPq0qRSGbdNNrCaYzkv== pniraj@ABCD2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxAX0SBOYI30xo46Mutf1r/Izv8oaDMaBKjP+DU03krZsvVrQ220ttkQGwdsTxn0/NmYgTrw+n01PYOsBgygiPplTaf+8K5CrEJJpYDQ34Fmsc9z+H7bR9/ciWGhFElVF65fu0v+QjBAiocheokYWnfAo24GEkJtHd3v/BA/ITNbxL9zCONA+C9RcQ== pniraj@TARGET1
ssh-rsa AAAB3NzaC1yc2EAAAABIwAAAQEA4G8HtHKwRSN2dWYv9/lpUBNjPrR7Pw2BJ5Mxraq2Pa3mZsLzO6pXSq/tBVN/s9upEe0T8LIZJJ9M40FR0RDncB5yXwW6T+dML+1bIlcag31o8OMqBS1+6VR
+INpaZeIscT/Ujtgj3l72N6R/UF74tkpdAzzAG4t4WXvA4iSdqeS98olTsAjQ== pniraj@SOURCE1

12. Save the authorized_keys file

13. OpenSSH is very picky about permissions of files and directories.  Make sure that the  authorized_keys file has the correct permissions:
TARGET1>$chmod 644 authorized_keys
Make sure .ssh directory has correct permissions
TARGET1>$ls -ald .ssh
drwx--S---   2 pniraj   pniraj        256 Mar 22 02:38 .ssh
TARGET1>$chmod 0700 .ssh
TARGET1>$ls -ald .ssh
drwx------   2 pniraj   pniraj        256 Mar 22 02:38 .ssh
Finally make sure the users home directory has the proper permissions
TARGET1>$pwd
/home1/dmlprd173/pniraj
TARGET1>$ls -ald .
drwxr-sr-x   4 pniraj   pniraj       4096 Mar 23 11:32 .
TARGET1>$chmod 0755 /home1/dmlprd173/pniraj
TARGET1>$ls -ald .
drwxr-xr-x   4 pniraj   pniraj       4096 Mar 23 11:32 .

Logout of the TARGET1 server.

14. Now, back on the source server,  login as the same user pniraj, type “ssh TARGET1”. You will be asked to verify the identity of the server since it is the

first time connecting using openssh, answer yes to the question, you should only have to do this only once.

SOURCE1> ssh TARGET1
The authenticity of host 'TARGET1 (10.6.5.92)' can't be established.
RSA key fingerprint is 63:fe:10:d1:7a:43:65:e0:35:cf:eb:79:41:45:a4:e7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'TARGET1,10.6.5.92' (RSA) to the list of known hosts.

$ That's all you can connect to TARGET1 server from SOURCE1 server without entering a password now on.
If you want to make the reverse password less connectivity(TARGET1 to SOURCE1) then just add TARGET1 server's public key to SOURCE1 server's authorized_keys file.

15. That’s all. Repeat for any additional hosts.

No comments:

Post a Comment