For some time now, I have been using ssh on my local network without
having to type a password to access my other machines.
All I have to do is type `ssh machine_name` and I am in. No password
required. But how do I do that, you may ask. Well, it's not really
insecure, like you might think.
Here's the skinny.
First, you need to create a public key. This is done by typing the
command `ssh-keygen -t rsa`
Accept the defaults. When asked for a passphrase, just leave that
blank. Your public and private keys will be generated, andstored in
~/.ssh/
To see what your newly generated key looks like, do
`cat ~/.ssh/id_rsa.pub`
Now that we have created your keys, they will need to be stored in your
home directory on all of the machines you wish to access. To do this,
we can use ssh to copy the key from ne machine to another in a secure
fashion.
Make sure sshd is active on any machines you are attempting to copy your
key to.
The command is
`ssh hostname "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub
Now, you will be prompted for your login password to the remote machine.
Provide it, and the key will be transferred.
To test it out, try to `ssh hostname` and if all went well, you will be
given a prompt on the remote machine, without typing that password.
--
***** Matthew Powell *******************************
****** http://www.franoculator.com *****************
******* Visit us on #cola on irc.oftc.net **********
|
|
0
|
|
|
|
Reply
|
 matt1629 (225)
|
11/10/2003 2:52:03 AM |
|
Franoculator blubbered effusively on Mon, 10 Nov 2003 at 02:52 GMT:
> For some time now, I have been using ssh on my local network without
> having to type a password to access my other machines.
<SNIPS>
> To test it out, try to `ssh hostname` and if all went well, you will be
> given a prompt on the remote machine, without typing that password.
One can get confused pretty quickly if this in done in a circular
fashion. I just ssh'ed from machine 1 to machine 2 to machine 3, back
to machine 2, to machine 1, to machine 3, to machine 2, to machine 3,
to machine 1, to machine 2, to machine 1, to machine 3, to machine 2,
to machine 3 to machine 1. All without a password.
I keep an short alias on all of them for "exit" so I don't have to type
so much.
--
....Microsoft and its suppliers provide the Product and
support services (if any) AS IS AND WITH ALL FAULTS, and
hereby disclaim all other warranties and conditions...
http://proprietary.clendons.co.nz/licenses/eula/windowsxpprofessional-eula.htm
paragraph 12.
|
|
|
0
|
|
|
|
Reply
|
 sm9906 (323)
|
11/10/2003 6:45:19 AM
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 10 Nov 2003 02:52:03 GMT,
Franoculator <matt@morpheus.franoculator.com> wrote:
> For some time now, I have been using ssh on my local network without
> having to type a password to access my other machines.
>
> All I have to do is type `ssh machine_name` and I am in. No password
> required. But how do I do that, you may ask. Well, it's not really
> insecure, like you might think.
>
> Here's the skinny.
>
> First, you need to create a public key. This is done by typing the
> command `ssh-keygen -t rsa`
>
> Accept the defaults. When asked for a passphrase, just leave that
> blank. Your public and private keys will be generated, andstored in
> ~/.ssh/
>
> To see what your newly generated key looks like, do `cat
> ~/.ssh/id_rsa.pub`
>
> Now that we have created your keys, they will need to be stored in
> your home directory on all of the machines you wish to access. To do
> this, we can use ssh to copy the key from ne machine to another in a
> secure fashion.
>
> Make sure sshd is active on any machines you are attempting to copy
> your key to.
>
> The command is `ssh hostname "umask 077; cat >> .ssh/authorized_keys"
> < ~/.ssh/id_rsa.pub
>
> Now, you will be prompted for your login password to the remote
> machine. Provide it, and the key will be transferred.
>
> To test it out, try to `ssh hostname` and if all went well, you will
> be given a prompt on the remote machine, without typing that password.
>
Nice writeup! all the details, none of the fluff :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/r0HHd90bcYOAWPYRAiTQAJ49BHwI/bOBQk6j8/BX1Z4Z3OU2yACcCoX8
ynt1w0Uzr6czOJCinJNc7xc=
=93Cj
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Smut is one of the few things people will pay well for even if the
technology isn't very good.
-- Dale Worley
|
|
|
0
|
|
|
|
Reply
|
 warlock (9518)
|
11/10/2003 7:44:08 AM
|
|
Sinister Midget wrote:
>> To test it out, try to `ssh hostname` and if all went well, you will
>> be given a prompt on the remote machine, without typing that
>> password.
>
> One can get confused pretty quickly if this in done in a circular
> fashion. I just ssh'ed from machine 1 to machine 2 to machine 3, back
> to machine 2, to machine 1, to machine 3, to machine 2, to machine 3,
> to machine 1, to machine 2, to machine 1, to machine 3, to machine 2,
> to machine 3 to machine 1. All without a password.
To limit confusion, I have differently colored prompts on the different
machines. That obviously has its limits, but with only two machines
it's a snap. The brain reads the colors way before the text, so
identification is effortless.
> I keep an short alias on all of them for "exit" so I don't have to
> type so much.
You mean, like ^D? Not exactly a lot of typing involved there ...
--
PeKaJe
Any woman is a volume if one knows how to read her.
|
|
|
0
|
|
|
|
Reply
|
 usenet21 (2476)
|
11/10/2003 9:05:58 AM
|
|
begin <n3Drb.8$vJ3.2@okepread05>,
Franoculator <matt@morpheus.franoculator.com> writes:
>
> For some time now, I have been using ssh on my local network without
> having to type a password to access my other machines.
>
> All I have to do is type `ssh machine_name` and I am in. No password
> required. But how do I do that, you may ask. Well, it's not really
> insecure, like you might think.
>
> Here's the skinny.
>
> First, you need to create a public key. This is done by typing the
> command `ssh-keygen -t rsa`
>
> Accept the defaults. When asked for a passphrase, just leave that
> blank. Your public and private keys will be generated, andstored in
> ~/.ssh/
It is a very bad idea to not give a passphrase. It means your secret
key is not encrypted. There is a solution for what you want and that
is ssh-agent and ssh-add. You only need to give the passphrase once
when running ssh-add.
To make it work from any shell you start do something like this:
ssh-agent >/tmp/ssh-agent-env
. /tmp/ssh-agent-env
ssh-add
In your .bashrc file have a line:
. /tmp/ssh-agent-env
This is much more secure and you only need to type your passphrase once.
You could also look into keychain written by Gentoo's Daniel Robbins:
http://www.gentoo.org/proj/en/keychain.xml
http://www-106.ibm.com/developerworks/library/l-keyc.html
|
|
|
0
|
|
|
|
Reply
|
 rgc (755)
|
11/10/2003 1:10:54 PM
|
|
Franoculator wrote:
> For some time now, I have been using ssh on my local network without
> having to type a password to access my other machines.
>
> All I have to do is type `ssh machine_name` and I am in. No password
> required. But how do I do that, you may ask. Well, it's not really
> insecure, like you might think.
>
> Here's the skinny.
>
> First, you need to create a public key. This is done by typing the
> command `ssh-keygen -t rsa`
>
> Accept the defaults. When asked for a passphrase, just leave that
> blank. Your public and private keys will be generated, andstored in
> ~/.ssh/
>
> To see what your newly generated key looks like, do
> `cat ~/.ssh/id_rsa.pub`
>
> Now that we have created your keys, they will need to be stored in your
> home directory on all of the machines you wish to access. To do this,
> we can use ssh to copy the key from ne machine to another in a secure
> fashion.
>
> Make sure sshd is active on any machines you are attempting to copy your
> key to.
>
> The command is
> `ssh hostname "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub
>
> Now, you will be prompted for your login password to the remote machine.
> Provide it, and the key will be transferred.
>
> To test it out, try to `ssh hostname` and if all went well, you will be
> given a prompt on the remote machine, without typing that password.
>
A couple notes, I use ssh with keys extensively for cluster management, in
fact, when you have to manage a 100 machine cluster, it is vital. Here are
a few scripts that I use:
<cluexec executes a command on each machine in a cluster one at a time>
#!/bin/sh
if [ -f targets ] ; then
NODES=$(cat targets )
for node in $NODES; do
echo "$node:"
ssh root@$node "$*"
done
fi
</cluexec>
<cluexecp executes a command on each machine in a cluster in parallel>
#!/bin/sh
if [ -f targets ] ; then
NODES=$(cat targets )
for node in $NODES; do
echo "$node:"
ssh root@$node "$*" >$node.log 2> $node.err &
done
fi
</cluexecp>
<clupush pushes a file to all the machines in a cluster>
#!/bin/sh
if [ -f targets ] ; then
NODES=$(cat targets )
for node in $NODES; do
echo "$node:"
scp -pC $1 root@$node:$2
done
fi
</clupush>
OK, first some rules about automated logins:
Always use a pass phrase!!! A hacker getting your key will be able to use
it!!! Even if its not a hacker, anyone with root access to your machine
will be able to access machines "as you" which is a serious breach of
"CYA."
|
|
|
0
|
|
|
|
Reply
|
 mlw (2191)
|
11/10/2003 1:35:56 PM
|
|
Jim Richardson spilled his alphabet soup on the floor,
and the letters spelled:
> Nice writeup! all the details, none of the fluff :)
Thanks!
--
***** Matthew Powell *******************************
****** http://www.franoculator.com *****************
******* Visit us on #cola on irc.oftc.net **********
|
|
|
0
|
|
|
|
Reply
|
matt1629 (225)
|
11/10/2003 2:26:50 PM
|
|
Roy Culley spilled his alphabet soup on the floor,
and the letters spelled:
> begin <n3Drb.8$vJ3.2@okepread05>,
> Franoculator <matt@morpheus.franoculator.com> writes:
>>
>> For some time now, I have been using ssh on my local network without
>> having to type a password to access my other machines.
[snip self]
> It is a very bad idea to not give a passphrase. It means your secret
> key is not encrypted. There is a solution for what you want and that
> is ssh-agent and ssh-add. You only need to give the passphrase once
> when running ssh-add.
>
> To make it work from any shell you start do something like this:
>
> ssh-agent >/tmp/ssh-agent-env
> . /tmp/ssh-agent-env
> ssh-add
>
> In your .bashrc file have a line:
>
> . /tmp/ssh-agent-env
>
> This is much more secure and you only need to type your passphrase once.
>
> You could also look into keychain written by Gentoo's Daniel Robbins:
>
> http://www.gentoo.org/proj/en/keychain.xml
> http://www-106.ibm.com/developerworks/library/l-keyc.html
You do bring up some interesting points that I had not considered.
Perhaps I'll give them a try.
I installed Eterm on all of my machines, and copied my ~/.Eterm
directory to all machines. Then, if I run `ssh -Xf host Eterm` I get an
Eterm running on that machine, which then enables me to launch X
applications on that machine, yet have them displayed locally.
It seems that your idea would allow that as well, but in a more secure
fashion.
Thanks again!
--
***** Matthew Powell *******************************
****** http://www.franoculator.com *****************
******* Visit us on #cola on irc.oftc.net **********
|
|
|
0
|
|
|
|
Reply
|
matt1629 (225)
|
11/10/2003 2:41:37 PM
|
|
Peter Jensen blubbered effusively on Mon, 10 Nov 2003 at 09:05 GMT:
> Sinister Midget wrote:
>
>>> To test it out, try to `ssh hostname` and if all went well, you will
>>> be given a prompt on the remote machine, without typing that
>>> password.
>>
>> One can get confused pretty quickly if this in done in a circular
>> fashion. I just ssh'ed from machine 1 to machine 2 to machine 3, back
>> to machine 2, to machine 1, to machine 3, to machine 2, to machine 3,
>> to machine 1, to machine 2, to machine 1, to machine 3, to machine 2,
>> to machine 3 to machine 1. All without a password.
>
> To limit confusion, I have differently colored prompts on the different
> machines. That obviously has its limits, but with only two machines
> it's a snap. The brain reads the colors way before the text, so
> identification is effortless.
I haven't set that bit up yet. I've been trying to get my son's linux
box set up to be more useful to a 4-year-old. So I've been editing
menus, putting on restrictions, installing, etc.
Dad's needs come later. Much later.
I generally try to get by with a couple of shell windows open at any
time anyway for shelling to the other machines. I try to keep those
shell backgrounds different from the ones I use strictly for local use.
>> I keep an short alias on all of them for "exit" so I don't have to
>> type so much.
>
> You mean, like ^D? Not exactly a lot of typing involved there ...
Yeah, that's pretty tough.
--
Nimda - Innovative Microsoft peer-to-peer software.
|
|
|
0
|
|
|
|
Reply
|
sm9906 (323)
|
11/10/2003 4:47:53 PM
|
|
begin <BsNrb.2499$vJ3.8@okepread05>,
Franoculator <matt@morpheus.franoculator.com> writes:
> Roy Culley spilled his alphabet soup on the floor,
> and the letters spelled:
>> begin <n3Drb.8$vJ3.2@okepread05>,
>> Franoculator <matt@morpheus.franoculator.com> writes:
>>>
>>> For some time now, I have been using ssh on my local network without
>>> having to type a password to access my other machines.
>
> [snip self]
>
>> It is a very bad idea to not give a passphrase. It means your secret
>> key is not encrypted. There is a solution for what you want and that
>> is ssh-agent and ssh-add. You only need to give the passphrase once
>> when running ssh-add.
>>
>> To make it work from any shell you start do something like this:
>>
>> ssh-agent >/tmp/ssh-agent-env
>> . /tmp/ssh-agent-env
>> ssh-add
>>
>> In your .bashrc file have a line:
>>
>> . /tmp/ssh-agent-env
>>
>> This is much more secure and you only need to type your passphrase once.
>>
>> You could also look into keychain written by Gentoo's Daniel Robbins:
>>
>> http://www.gentoo.org/proj/en/keychain.xml
>> http://www-106.ibm.com/developerworks/library/l-keyc.html
>
> You do bring up some interesting points that I had not considered.
> Perhaps I'll give them a try.
>
> I installed Eterm on all of my machines, and copied my ~/.Eterm
> directory to all machines. Then, if I run `ssh -Xf host Eterm` I get an
> Eterm running on that machine, which then enables me to launch X
> applications on that machine, yet have them displayed locally.
You don't need to run the Eterm. Just replace it with the X app you
want to run. Or just ssh without giving any app and you are logged
on. You can also configure ssh_config and sshd_config so that you
don't need the '-X'. There's an excellent book on ssh.
SSH, The Secure Shell: The Definitive Guide -- by Daniel J. Barrett,
Richard Silverman
There are really cool things you can do with ssh. Say you need to
login from host A to host C via host B. As long as B and C are running
sshd you can do it with a single command. Then the port forwarding is
brilliant as well. I've said it before, ssh is one of the best admin
tools ever.
|
|
|
0
|
|
|
|
Reply
|
rgc (755)
|
11/10/2003 9:22:57 PM
|
|
In article <87s381-eie.ln1@grendel.myth>, Jim Richardson wrote:
> Nice writeup! all the details, none of the fluff :)
Well...one detail was missing: why you would *want* to do that, rather than
use a passphrase, and use ssh-agent if you want to reduce the need for
typing the passphrase.
I'd only use a key without a passphrase for automated access, such as remote
backups, and that key would be restricted to just that application.
--
Evidence Eliminator is worthless. See evidence-eliminator-sucks.com
--Tim Smith
|
|
|
0
|
|
|
|
Reply
|
 reply_in_group (10240)
|
11/10/2003 11:18:48 PM
|
|
In article <ubf481-8l8.ln1@gentoo.linux.src>, Roy Culley wrote:
> This is much more secure and you only need to type your passphrase once.
Often overlooked is the useful -t switch to ssh-add, which lets you specify
a time limit, e.g., "ssh-add -t 7200". That will add your keys for 7200
seconds. Useful if you don't need to use them constantly, and want to limit
exposure if you walk away from your computer with the keys loaded.
I also have a cron job that runs at night, a little after I normally leave
the office, that deletes my keys from ssh-agent, just in case I forget
before going home.
--
Evidence Eliminator is worthless. See evidence-eliminator-sucks.com
--Tim Smith
|
|
|
0
|
|
|
|
Reply
|
reply_in_group (10240)
|
11/10/2003 11:24:51 PM
|
|
Datagram from Sinister Midget incoming on netlink socket
<slrnbqucp5.nlv.sm@home.harry.net>. Dumping datagram.
>
> One can get confused pretty quickly if this in done in a circular
> fashion. I just ssh'ed from machine 1 to machine 2 to machine 3, back
> to machine 2, to machine 1, to machine 3, to machine 2, to machine 3,
> to machine 1, to machine 2, to machine 1, to machine 3, to machine 2,
> to machine 3 to machine 1. All without a password.
That reminded me that I once opened about 30 (I don't remember exactly)
nesting SSH sessions for fun... I was simultaneously logged in to at least
28 machines.
-Ilari
--
Weapon is powerful enough if after demonstrating it, need to use it
never arises because everybody fears it... -- Ilari Liusvaara
Linux LK_Perkele_IV9 2.4.22-rc3 #2 Sun Aug 24 14:36:19 EEST 2003 i686 unknown
7:10pm up 58 days, 8:04, 11 users, load average: 0.05, 0.07, 0.09
|
|
|
0
|
|
|
|
Reply
|
 noaddress1 (288)
|
11/13/2003 2:12:28 PM
|
|
On 2003-11-13, Ilari Liusvaara <noaddress@porn.org> wrote:
>
> That reminded me that I once opened about 30 (I don't remember exactly)
> nesting SSH sessions for fun... I was simultaneously logged in to at least
> 28 machines.
Didn't I read about you in "The Cuckoo's Nest"?
--
Windows desktops and servers can find a safe haven on a
GNU/Linux/FreeBSD network!
|
|
|
0
|
|
|
|
Reply
|
 iso
|
11/14/2003 4:16:00 AM
|
|
|
13 Replies
18 Views
(page loaded in 0.18 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
117973 articles. 
6 followers. 
doug_mentohl3
dfnsonfsduifb
running-wild
nospam11
jabailo
mlw3