LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-25-2014, 06:47 AM   #1
rohitchauhan
Member
 
Registered: Nov 2010
Posts: 77

Rep: Reputation: 1
password-less SSH (special case)


Hi guys,
My question is about passwordless SSH.

is it possible that a system generates a key and whichever system has that key, should be able to SSH that system
But
this SSH should be passwordless.

Note: I think it is possible with Amazon servers where they give you a key (like .pem, .ppk or else) and whoever has that key, can access their server.

Have any idea ???

Thanks.
 
Old 02-25-2014, 07:02 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6
Posts: 1,470

Rep: Reputation: 438Reputation: 438Reputation: 438Reputation: 438Reputation: 438
Quote:
Originally Posted by rohitchauhan View Post
is it possible that a system generates a key and whichever system has that key, should be able to SSH that system
But
this SSH should be passwordless.
Yes, this is possible.
 
1 members found this post helpful.
Old 02-25-2014, 07:02 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,397

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
I'm not seeing a special case here, is this not just default preshared keys?
 
1 members found this post helpful.
Old 02-25-2014, 07:29 AM   #4
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,145
Blog Entries: 1

Rep: Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002
on a linux system (centos in my case) you would follow these steps:

Code:
ssh-keygen (answer the questions)
ssh-copy-id username@yourserver.com
that will give you access to that server using ssh keys, you can leave the key without a password if you wish.

also, one file it creates is something.pub which contains the plaintext key you would put on a server that you wish to access using your corresponding private-key file.

i like to think of the public key as the LOCK, and the private key as the KEY.

a quick google search of 'passwordless ssh' will give you examples for any OS you can think of.
 
1 members found this post helpful.
Old 02-26-2014, 12:52 PM   #5
rohitchauhan
Member
 
Registered: Nov 2010
Posts: 77

Original Poster
Rep: Reputation: 1
Hi,
Thanks for sharing for your thoughts.

TenTenths:
Could you please elaborate ? The process, how can I do that in my RHEL systems ?

acid_kewpie:
Please let me explain it to you that how it is not a normal case !!

Generally what we do for password-less SSH it that:
Suppose there are two systems. One is a physical system (server) and one is my laptop (both have linux OS).

Now, i want to SSH from my laptop to that server.

For that, I will create a key pair in my laptop (id_rsa, id_rsa.pub) without any passphrase (so that it could be password-less). I will copy my laptop's '.pub' key into server system as 'authorized_keys' file and I will be able to SSH that server system from my laptop without password.

So far so good.

But now consider the scenario that if there are multiple laptops who want to SSH that server (password-less), then I am supposed to create a keypair in each laptop and then copy each '.pub' key into that server. That way could be problematic because if a particular laptop is not required to SSH that server, then I will have to remove that laptop's public key from servers 'authorized_keys' file. Every time, doing the same is not good.

The solution could be that, a key should be provided by the server to any laptop owner.
If the owner has that key, he will be able to SSH that server otherwise not.

Thats what I asked in my question that "is it possible that a system (server) generates a key and whichever system has that key, should be able to SSH that system".

In this way, this is not a normal case which we do usually.


szboardstretcher:
Thanks for the solution but the solution you have provided is not fit for the situation.

According to your solution, I should create key pair in my laptop and copy the '.pub' key to the server which I don't want to do. (as mentioned in my earlier paragraph). (I want somewhat reverse process).


#############

I think I have found a possible solution.

Sharing it with you guys:

Code:
Server1:
# cd /root/.ssh/
# ssh-keygen
(press enter everytime)
# cp id_rsa.pub authorized_keys
# scp id_rsa <client_IP>:/root/.ssh/system1
# eval $(ssh-agent)
(to initialize the agent)

Client (laptop):
# cd /root/.ssh/
# eval $(ssh-agent)
# ssh-add /root/.ssh/system1
# ssh-add -l
(will show the added server key fingerprint)
# ssh <server_IP>
Success.
The only problem I am having in this solution is that, this solution fails if I reboot the system.
Every time i have to follow the whole procedure which is not good.

Any comment for this guys ?

Thanks.
 
Old 02-26-2014, 01:00 PM   #6
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,145
Blog Entries: 1

Rep: Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002
As far as i can tell, you've done exactly what i explained, but in a less efficient manner.
 
Old 02-26-2014, 01:03 PM   #7
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,145
Blog Entries: 1

Rep: Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002
Quote:
But now consider the scenario that if there are multiple laptops who want to SSH that server (password-less), then I am supposed to create a keypair in each laptop and then copy each '.pub' key into that server. That way could be problematic because if a particular laptop is not required to SSH that server, then I will have to remove that laptop's public key from servers 'authorized_keys' file. Every time, doing the same is not good.
Yes, this is called security. You DO NOT want to use ONE key for everyone. You want to use individual keys.

There is no one that is going to agree that using one ROOT SSH key for X people is a good idea. You are doing it wrong and you need to stop and think about the consequences.

Seriously.

Last edited by szboardstretcher; 02-26-2014 at 02:29 PM.
 
1 members found this post helpful.
Old 02-26-2014, 01:11 PM   #8
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,809

Rep: Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996
Let me get this straight...

The standard method is that each client has its own key, and the keys for all authorized clients are added to the authorized_keys file on the server. If you want to add a client, you add its key to the authorized_keys file. If you want to remove a client, you remove its key from the authorized_keys file.

You want to replace this system with one in which there is ONE key required to access the server, and that same key is distributed to every client that you want to grant access. Adding a client means sending this shared key to the client. Removing a client means generating a new key on the server, and sending it to every single client EXCEPT the one that you want to remove access.

How on earth is this better or more efficient than the standard way? It's akin to assigning every employee in an organization the same login and password, and having to change that shared login and password for everybody in the entire organization every time an employee quits or gets fired. The logistical and security nightmare this would introduce boggles the mind.

Last edited by suicidaleggroll; 02-26-2014 at 01:14 PM.
 
2 members found this post helpful.
Old 02-26-2014, 01:14 PM   #9
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
you can have multiple 'lines' in the authorized_keys file

one for each key


instead of
Code:
cp id_rsa.pub authorized_keys
Code:
cat id_rsa.pub >> authorized_keys
>> is append to file,
> just the one will overwrite it

and you shouldn't need to use eval $(ssh-agent)

just a simple ssh-agent should suffice, but in all honesty, I don't see why it is needed at all



As already pointed out, no 'special case' here, you are doing very standard things in a complicated way.

https://access.redhat.com/site/docum...-keypairs.html
see
Quote:
5. Copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
it doesn’t explicitly tell you how, I think the writer(s) assume the ready reader has the 'basics'


EDIT:

Please Note the chmod commands in the link I gave, they are important for the security of your keys

Last edited by Firerat; 02-26-2014 at 01:21 PM.
 
1 members found this post helpful.
Old 02-26-2014, 01:27 PM   #10
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 334

Rep: Reputation: 99
@rohitchauhan: Ok, you seem to be confused about what you're doing... What you want is not a 'reverse process' of key-authentication.. Rather, you simply want to:

1) As you said... create a key, give it access and provide it to everyone (it won't matter if multiple laptops connect with the same key)... But as you we're already told.. This will be less secure and even troubling when you want to restrict someone's access.

-- or --

2) Create one key per user... Actually, I don't understand why everyone doesn't have their own account? That's the proper way to do it (and trust me, it's nothing special about it).

Please keep in mind that (from the command you've shown us) you're giving root access... 'root' shouldn't even be allowed to connect remotely (not even through ssh)

P.S. The efficient way is that everyone creates a key on their laptop.. and install it to their user account on the server... See the first post from 'szboardstretcher' about the two needed commands to do this..

Last edited by Smokey_justme; 02-26-2014 at 01:31 PM.
 
3 members found this post helpful.
Old 02-26-2014, 01:34 PM   #11
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,809

Rep: Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996
Quote:
Originally Posted by Smokey_justme View Post
Please keep in mind that (from the command you've shown us) you're giving root access... 'root' shouldn't even be allowed to connect remotely (not even through ssh)
YIKES! I didn't even notice that.

Granting ssh access to root is bad
Granting passwordless ssh access to root is even worse
Granting passwordless ssh access to root for anybody who holds the magic key is quite possibly the worst security setup I have seen mentioned on this or any other forum
 
1 members found this post helpful.
Old 02-26-2014, 02:15 PM   #12
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
hell, I didn't see that either !
 
Old 02-26-2014, 02:29 PM   #13
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,145
Blog Entries: 1

Rep: Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002
Due to some fancy editing, i can say that i noticed that before.
 
Old 02-26-2014, 11:58 PM   #14
rohitchauhan
Member
 
Registered: Nov 2010
Posts: 77

Original Poster
Rep: Reputation: 1
Thanks to everyone for their valuable replies.

szboardstretcher:
1. Yes, you are right.I know that there are serious security concerns. I understand sharing server's private key is not a good idea but i will have to go ahead with that. I understand that but unfortunately i can not do much about it other then telling my client about them.

2. Giving root access is required as there are few people who are in development team and they need root access (we can consider them as trustworthy). So giving password-less root access can be allowed at least until project finishes. I don't know why client is not using SUDO but thats their concern.

3. The working solution for me:
Code:
Server1 (IP:13):
# cd /root/.ssh/
# ssh-keygen
(press enter everytime)
# cp id_rsa.pub authorized_keys
# scp id_rsa 192.168.1.64:/root/.ssh/system1

Client (IP:64):
# cd /root/.ssh
# touch config
make entries like this in the file:
Host 192.168.1.13
        User root
        IdentityFile    /root/.ssh/system1

# ssh 192.168.1.13
Done.
The same process can be done for multiple servers.

Very very thanks to every one again.
 
Old 02-27-2014, 07:52 AM   #15
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
If managing the keys is a problem, remember also that you can configure SSH to use keys obtained from an LDAP server.

The bottom line here, though, is that you do want each authorized user to be uniquely identified, using a unique certificate that is issued only to him, is therefore identified as being "his," and can be individually revoked or replaced. That is what keys are for. It is of no advantage to you at all, merely that the exchange between the two systems is encrypted. You need to be able to open and to shut the door to recognizeable, and recognized, individuals."
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to successfully set a temp password on this case yzT! Linux - General 3 02-17-2014 05:12 AM
[SOLVED] mysql grant password with special characters szboardstretcher Linux - Newbie 3 01-24-2014 02:33 PM
scp needs three times password in wrong password case!!! JATA01 Programming 6 12-01-2008 05:28 AM
Special case of routing mudule needed! woosting Linux - Networking 5 06-03-2005 06:43 AM
Apache redirect (special case) SWAT Linux - Newbie 0 07-24-2004 05:29 PM


All times are GMT -5. The time now is 08:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration