Sunday 25 May 2008

Easy SSH technique (SSH Public key based authentication - Howto)

SSH is a technique used to login remotely to another machine and execute commands from your own machine.
For simplicity, we will call the machine that you are sitting at as the local machine, while the machine you wish to connect to, as the remote machine.

so,
USER : [LOCAL_MACHINE] -----------ssh------------------> [REMOTE_MACHINE]

(Obvious assumptions are that the remote machine should be switched on before you attempt to login and that a valid network connection should exist between the machines)

Normally, this would present a security threat, so you cannot login without supplying the password to your account first.

When I first arrived for my internship, I was given a thin client (Sun RAY) and had to connect to a machine (intel) remotely everytime I needed to use utilities like firefox, gnuplot etc. (Of course, everytime I logged in I had to open up obvious utilities like firefox/mozilla)
$>ssh -X garl-intel1
$>abhishek@garl-intel1's password:
garl-intel1.serc.iisc.ernet.in> /usr/local/firefox/firefox
But this process can get annoying sometimes:
  • When you wish to login frequently (almost everytime you boot your local machine) you have to keep typing in the password again and again.
  • If you wish to run a shell script at your local machine which executes a set of commands on the remote machine, it asks you for password at every command to be executed. Wouldnt it be simple if I could write a script here that runs a couple or more of commands on a remote machine without me having to type in the password every time? Lets assume I have a script that has the following lines:

    ssh -X garl-intel1 xpdf ./abc.pdf
    ssh -X garl-intel1 gnuplot gp.sh
    scp ./abc.ps abhishek@garl-intel1:./a/abc.ps

    I would have to type in my password for each of these commands.
So this post is for those who are looking for an easy way to use ssh without any hassles at all. For simplicity, I have numbered the steps. I assume you are in my position and the remote machine is garl-intel1.serc.iisc.ernet.in
Step 1
Make sure the default shell is bash. (type bash and press enter if not)
Check the ssh connection to make sure its okay and works fine. For me, its:
>bash
$>ssh garl-intel1
$>abhishek@garl-intel1's password:
garl-intel1.serc.iisc.ernet.in> who

Step 2
Create a Simple Cryptographic Key by the following commands:
$> ssh-keygen -t rsa
Now assign a passphrase (if it asks, for simplicity just enter you connection password) and press enter twice (when it asks for location) to store the key in its default location.
Normally the default location is ~/.ssh/id_rsa (private key); ~/.ssh/id_rsa.pub (public).
In case you need to change your passphrase later, you need to type:
$> ssh-keygen -p
Step 3>
use scp to copy the id_rsa.pub file to remote machine. This is called installing the key.
$> scp .ssh/id_rsa.pub abhishek@garl-intel1:.ssh/authorized_keys2
The procedure should be over in a flash. (It will ask for your login password to complete).
Step 4>
From now on, you can type [ssh garl-intel1] to connect. But it still asks for passphrase everytime which is annoying. So to turn this off make sure you are in the bash shell and type:
$> ssh-agent $BASH
$> ssh-add
Now type in the current passphrase for the last time and press enter.
Step 5>
Done!
Now you need to login using [ssh garl-intel1] without any hassles.
Step 6>
A note about security: The remote machine is still password protected. It is not open to attacks through this process. BUT, the current local machine has been authorized to login without asking for user password. So as long as the local machine is secure and access is given only to authorized users, the server is secure as well.

However, if any time you wish to remove all keys. Type in the following in a bash shell:
$> ssh-add -D (delete all keys)
$> ssh-add -d key (to delete specific key)
$> ssh-add -l (to list all keys)

And now, its playtime.

1 comment:

Karthik Ramgopal said...

i'd recommend using -Y instead of -X.. its more secure to X11 fwd that way :)