LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   SSH/SCP with no password (https://www.linuxquestions.org/questions/linux-software-2/ssh-scp-with-no-password-560374/)

wh33t 06-08-2007 11:56 PM
SSH/SCP with no password
 
Hello all,

I'm trying to get my webserver to regularly SCP some files into a back up server at my house. The problem is that it requires a password and I don't want that in my cron script. I have read a plethora of material of RSA authentication and I can't seem to make this happen.

Here are some things I'd like clarified. To do password-less SSH connections I understand there is a two keys made. One for the server, and one for the clients that I wish to allow to SSH in password free. Which key goes to which machine and in which directory does which key sit?

My home server is Ubuntu 6.04 Server edition. My webserver is Fedora Core 4 (its dedicated, i have full root). Please tell me what I need to do make this happen. Thanks so much.

daihard 06-09-2007 01:03 AM
Quote:
Originally Posted by wh33t
Here are some things I'd like clarified. To do password-less SSH connections I understand there is a two keys made. One for the server, and one for the clients that I wish to allow to SSH in password free. Which key goes to which machine and in which directory does which key sit?
You run "ssh-keygen" to generate a pair of private/public key files. The private key file stays on your main computer. The public key file goes to the remote computer which you'd like to SSH into. The public key file should be appended to the file "authorized_keys," which should be in the ~/.ssh directory. To append your public key file to authorized_keys, you can run the following command, assuming your public key file is "id_rsa.txt" and is located in your $HOME directory. This command should be run on your remote machine. It means the public key file must be copied to it from your local computer.
Code:
$ pwd
/home/daihard
$ cat id_rsa.txt >> ~/.ssh/authorized_keys

wh33t 06-09-2007 01:07 AM
And what needs to be enabled on my client ssh_config and my sshd_config on my server?

I swear I've already tried to do exactly what you just said, except I never appended the file.
I just renamed my rsa_id.pub file to authorized_keys in my ~/.ssh/ directory on my webserver instead of cat >>.

daihard 06-09-2007 01:58 AM
Quote:
Originally Posted by wh33t
And what needs to be enabled on my client ssh_config and my sshd_config on my server?

I swear I've already tried to do exactly what you just said, except I never appended the file.
I just renamed my rsa_id.pub file to authorized_keys in my ~/.ssh/ directory on my webserver instead of cat >>.
I didn't have to do anything to those config files on any of my computers. It may be different with Ubuntu, though. (I use CentOS and Fedora Core.)

You might also want to make sure the permissions of the "~/.ssh" directory and the "~/.ssh/authorized_keys" file are set correctly. They should be set "drwx------" and "-rw-r--r--", respectively.

wh33t 06-09-2007 02:00 AM
Why does permissions matter if I'm root on both sides and trying to scp a file as root? Could you please post a dump of your servers /etc/ssh/sshd_config for me. Obviously change any values that might be a security issue./

daihard 06-09-2007 02:07 AM
Quote:
Originally Posted by wh33t
Why does permissions matter if I'm root on both sides and trying to scp a file as root? Could you please post a dump of your servers /etc/ssh/sshd_config for me. Obviously change any values that might be a security issue./
If I understand correctly, the correct permissions must be set for SSH for security reasons. If .ssh is set so normal users can read its contents, then SSH will not allow you to log in with your passphrase (i.e. key).

Here's the dump of my /etc/ssh/sshd_config.
Code:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

X11Forwarding yes

Subsystem        sftp        /usr/libexec/openssh/sftp-server
I removed all comments.

unSpawn 06-09-2007 06:46 AM
Quote:
Why does permissions matter if I'm root on both sides and trying to scp a file as root?
Enabling any remote root account access is a security risk and that's why root account access is disabled by default. Please understand those risks before dismissing best practices as just another nuisance. If you still want to enable remote root account access at least take appropriate precautions (wrt restrictions *and* auditing). Thanks.

wh33t 06-09-2007 09:04 AM
Yes. I understand there are security risks. But if someone really wants to hack either of my machines I'm sure they're getting in. I have chosen to use SCP/SSH instead of ftp as my security practice. Furthermore, Linux can be great but I find it is always sucking away countless hours of my time that I could spend a lot more efficiently. I can't afford to not get this system going and finish the project. Every delay costs me more time and money. When everything is finished and the system seems stable, I will have an expert go in and clean up any unnecessary risks I may have created.

**Edit**
I forgot to say I have chosen root users because I felt it would take less setup than figuring out which of my distro's require which permissions on which authorized_keys file etc. Speaking of which... can anyone clear up what those permissions need to be and a handy command to set them?

I still cannot for the life of me get this to work. I did notice however that at one point I could ssh to my webserver from my backup machine with out a password... however that is the process reversed lol, which is what I don't want. I tried everything in opposites too... *sigh*

daihard 06-09-2007 04:03 PM
Quote:
Originally Posted by wh33t
**Edit**
Speaking of which... can anyone clear up what those permissions need to be and a handy command to set them?
http://kmself.home.netcom.com/Linux/FAQs/sshrsakey.html

wh33t 06-09-2007 05:10 PM
Ok I finally got it working. I think some of the guides I was reading confused me, or perhaps the people who wrote them are confused themselves. Apparently the PUB key file goes to the server you are sshing into as the authorized key... I thought it was the other way around. PUBLIC would go to the public machines... maybe I think differently lol. Thanks all who offered their advice. I appreciate it.

daihard 06-09-2007 09:47 PM
Quote:
Originally Posted by wh33t
Apparently the PUB key file goes to the server you are sshing into as the authorized key... I thought it was the other way around. PUBLIC would go to the public machines... maybe I think differently lol. Thanks all who offered their advice. I appreciate it.
That's what I thought I'd written in my first reply, but I could have put it in a confusing manner. In any case, I'm glad you got it working. :cool:

wh33t 06-09-2007 11:38 PM
LOL well I appreciate the effort. I also messed around with my ubuntu config so much i wasn't sure what was going on. So I reinstalled it and tried it backwards and voila!


All times are GMT -5. The time now is 01:48 AM.