http://www.thegeekstuff.com/2008/10/perform-ssh-and-scp-without-password-from-ssh2-to-openssh/
we discussed how to setup ssh key based authentication to perform ssh and scp without password under the following three scenarios:
- OpenSSH to OpenSSH Perform SSH and SCP Without Entering Password on openSSH
In this article, I’ll explain how to perform ssh and scp without entering the password using the SSH Public Key authentication with SSH Agent on openSSH
There are two levels of security in the SSH key based authentication. In order for you to login, you need both the private key and the passphrase. Even if one of them is compromised, attacker still cannot login to your account, as both of them are needed to login. This is far better than typical password based authentication, where if the password is compromised, attacker can gain access to the system.
There are two ways to perform ssh and scp without entering the password:
- No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option.
- Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
Following 8 steps explains how to perform SSH and SCP from local-host to a remote-host without entering the password on openSSH system
1. Verify that local-host and remote-host is running openSSH
[local-host]$ ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 [remote-host]$ ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 20062. Generate key-pair on the local-host using ssh-keygen
[local-host]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter> Enter passphrase (empty for no passphrase): <Enter your passphrase here> Enter same passphrase again:<Enter your passphrase again> Your identification has been saved in /home/jsmith/.ssh/id_rsa. Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub. The key fingerprint is: 31:3a:5d:dc:bc:81:81:71:be:31:2b:11:b8:e8:39:a0 jsmith@local-hostThe public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.
By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.
3. Install public key on the remote-host.
Copy the content of the public key from the local-host and paste it to the /home/jsmith/.ssh/authorized_keys on the remote-host. If the /home/jsmith/.ssh/authorized_keys already has some other public key, you can append this to the end of it. If the .ssh directory under your home directory on remote-host doesn’t exist, please create it.
[remote-host]$ vi ~/.ssh/authorized_keys
ssh-rsa ABIwAAAQEAzRPh9rWfjZ1+7Q369zsBEa7wS1RxzWR jsmith@local-hostIn simple words, copy the local-host:/home/jsmith/.ssh/id_rsa.pub to remote-host:/home/jsmith/.ssh/authorized_keys
4. Give appropriate permission to the .ssh directory on the remote-host.
[remote-host]$ chmod 755 ~/.ssh
[remote-host]$ chmod 644 ~/.ssh/authorized_keys5. Login from the local-host to remote-host using the SSH key authentication to verify whether it works properly.
[local-host]$ <You are on local-host here> [local-host]$ ssh -l jsmith(username of remote-host) remote-host
Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here>
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail. [remote-host]$ <You are on remote-host here>6. Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.
Verify whether SSH agent is already running, if not start it as shown below.
[local-host]$ ps -ef | grep ssh-agent
511 9789 9425 0 00:05 pts/1 00:00:00 grep ssh-agent
[local-host]$ ssh-agent $SHELL
[local-host]$ ps -ef | grep ssh-agent
511 9791 9790 0 00:05 ? 00:00:00 ssh-agent /bin/bash
511 9793 9790 0 00:05 pts/1 00:00:00 grep ssh-agent7. Load the private key to the SSH agent on the local-host.
[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa: <Enter your passphrase here>
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)Following are the different options available in the ssh-add:
- ssh-add <key-file-name>: Load a specific key file.
- ssh-add -l: List all the key loaded in the ssh agent.
- ssh-add -d <key-file-name>: Delete a specificy key from the ssh agent
- ssh-add -D: Delete all key
8. Perform SSH or SCP to remote-home from local-host without entering the password.
[local-host]$<You are on local-host here> [local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>
2. OpenSSH to SSH2This article explains how to setup SSH key based authentication between different version of SSH (from openSSH to SSH2) to perform ssh and scp without entering password.
1. Verify the local-host and remote-host SSH version.
In this example, local-host is running on openSSH and remote-host is running on SSH2.
[local-host]$ ssh -V OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007 [remote-host]$ ssh -V ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu [remote-host]$ ls -l /usr/local/bin/ssh lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh22. Generate key-pair on the local-host using ssh-keygen
[local-host]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter> Enter passphrase (empty for no passphrase): <Enter your passphrase here> Enter same passphrase again:<Enter your passphrase again> Your identification has been saved in /home/jsmith/.ssh/id_rsa. Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub. The key fingerprint is: 3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad jsmith@local-hostThe public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.
By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.
3. Convert openSSH public key to SSH2 public key.
On local-host that is running openSSH, convert the openSSH public key to SSH2 public key using ssh-keygen as shown below.
[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub4. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.
[remote-host]$ vi ~/.ssh2/local-host_ssh2_key.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by jsmith@local-host"
DDDDB3NzaC1yc2EAAAABDmbrdomPh9rWfjZ1+7Q369zsBEa7wS1RxzWRQ0Bmr9FSplI
3ADBEBC/6cbdf/v0r6Cp5y5kusP07AOzo2F7MBDSZBtS/MbYJiIxvocoaxG2bQyz3yYjU
YcpzGMD182bnA8kRxmGg+R5pVXM34lx3iSSgd8r3RzZKnDpEvEInnI7pQvUBoEbYCXPUeZ
LQvQAkz6+Pb6SsNp-dop/qgv9qyfbyMz1iKUZGadG146GtanL5QtRwyAeD187gMzzrGzMFP
LWjdzWpGILdZ5gq7wwRpbcXFUskVrS2ZjDe676XlTN1k5QSZmSYUuttDdrjB5SFiMpsre8
a7cQuMS178i9eDBEC==
---- END SSH2 PUBLIC KEY ----Add the above public key file name to the authorization file on the remote-host as shown below.
[remote-host]$ vi ~/.ssh2/authorization
Key local-host_ssh2_key.pub5. Verify the Login from the local-host to remote-host using the SSH2 key authentication.
[local-host]$ ssh -l jsmith remote-host <You are on local-host here> The authenticity of host 'local-host' can't be established. DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'local-host' (DSA) to the list of known hosts. Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here> Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102 No mail. [remote-host]$ <You are on remote-host here>There are two ways to perform ssh and scp without entering the password:
- No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
- Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
6. Start the SSH Agent on local-host
The SSH Agent will be running in the background to hold the private keys and perform ssh and scp without having to enter the passphrase several times.
[local-host]$ ssh-agent $SHELL7. Load the private key to the SSH agent on the local-host.
[local-host]$ ssh-add Enter passphrase for /home/jsmith/.ssh/id_rsa:<Enter your passphrase here> Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)8. Perform SSH or SCP to remote-home from local-host without entering the password.
[local-host]$<You are on local-host here> [local-host]$ ssh -l jsmith remote-host Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102 No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>
3. SSH2 to SSH2
In this article, I’ll explain how to setup the key based authentication on SSH2and perform SSH/SCP without entering password using the following 10 steps.
1. Verify that the local-host and remote-host are running SSH2. Please note that ssh and scp is a symbolic link to ssh2 and scp2 respectively as shown below.[local-host]$ ls -l /usr/local/bin/ssh /usr/local/bin/scp lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/scp -> scp2 lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2 [local-host]$ ssh -V ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu [remote-host]$ ls -l /usr/local/bin/ssh /usr/local/bin/scp lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/scp -> scp2 lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2 [remote-host]$ ssh -V ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu
2. Generate key-pair on the local-host using ssh-keygen2. Typically ssh-keygen will be a soft-link to the ssh-keygen2 as shown below.[local-host]$ ls -l /usr/local/bin/ssh-keygen lrwxrwxrwx 1 root root 11 Mar 10 22:04 /usr/local/bin/ssh-keygen -> ssh-keygen2 [local-host]$ ssh-keygen Generating 2048-bit dsa key pair 2 oOo.oOo.oOo. Key generated. 2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:20 -0700 Passphrase :<Enter the passphrase> Again : Private key saved to /home/jsmith/.ssh2/id_dsa_2048_b Public key saved to /home/jsmith/.ssh2/id_dsa_2048_b.pubThe public key and private key are stored in .ssh2 folder under your home directory. In this example, it is under /home/jsmith/.ssh2. You should not share the private key with anybody.
By default the ssh-keygen2 generates DSA key pair. You can also generate RSA key pair using: ssh-keygen -t rsa command.
3. Giver proper permission to the .ssh2 directory as shown below.[local-host]$ chmod 755 ~/.ssh2/ [local-host]$ chmod 644 ~/.ssh2/id_dsa_2048_b.pub [local-host]$ chmod 644 ~/.ssh2/authorization4. Identify the private-key on the client machine. On the local-host, add the private key to the SSH2 identification file as shown below. If the identification file not present, create a new file. If the file is present, append the private key file-name that is generated from the above step to the identification file in the “IdKey {private-key file-name}” format as shown below.
[local-host]$ cat /home/jsmith/.ssh2/identification IdKey id_dsa_2048_a IdKey id_dsa_2048_b5. Copy the public key to remote-host.
Copy the /home/jsmith/.ssh2/id_dsa_2048_b.pub file from the local-host to the remote-host /home/jsmith/.ssh2/id_dsa_2048_b.pub. You can perform a vi /home/jsmith/.ssh2/id_dsa_2048_b.pub on the remote-host and copy the content of the public key from the local-host.
[remote-host]$ cat /home/jsmith/.ssh2/id_dsa_2048_b.pub ---- BEGIN SSH2 PUBLIC KEY ---- Subject: jsmith Comment: "2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:\ 20 -0700" BCDEB3NzaC1kc3MAAAEBAMNH6MnHGNzNcuXWuQrGljZsObQq5SknOpLOreXq2GVeSIspX0 S1q7W63VGVDBD9ZVvZzg3UhzsPp6m/WPS53QAxlpQvTLCepipl1LILeOZRnYw+xXzEGgqa HggXhTy7Z1BMtB1dSlXT2Q1gdvRkvZ0hmlMXH0ktj7U81lKEkzYj8E/E1PZIJsBHAXbYms q7ftNTd7Gf1mSfbWIG7NIyOZ4i2qSZpQayuvB3MFQXy8lz25NGVq18zoFV4THtzV6ABvHL IJXEObZUgdUXJXQg49oeXvE6tyaqSUU7tUbp06ZgI/BcFGmbk9FDoC5gy30S5RBPpAJ5II vsfksnJRt+8R0AAAAVAJcTY6u2Em0Eo5I7X6yL1W+Di+rpAAABAELiJqtn2flgjA926TQk 3af14zSGFHut5kZjsMKUf+3Jj3p5MTiWVglgwWYLXcrG258l5GVPzdgF2d7Z9Bu1RUsdBo rU5LURvF1cZqC5V+9PD6hlH1iYuULUIbAaIfH6SXuk2KwQ/pEh1Q+lXUj6cCfLwe+yLcvZ YKLGdi2MvurUKmVRik3RpaB9wcuKbLjkp1rFZGr9skDAc2hYfpM0uF+6UEz6LXWKIvLJeO Iro6VL3MkJTxXb/Xu5/77TrT+Iz8+5cbALM3EdBOlJa1HcpPXnSKakB3Wo/Ljzf41GZPc/ Y6u09soNsnAHdv9y9gMhj1054sPwNCEJAy4eaWWsqkMAAAEBAL6eolWH4AGuB2/lPu79B0 ufgaU6BQfxED7rItf/lDhtsfHl77u6URxwQzvSV2CNJJ17WkdQoJmGfTVoSduNXOAgkQJU woB1ALzUfugbzLVxMXWUlmoQjvyoo4G9LMDdyP5qCbFXKsqkpY16N9xcUap5PgmcoF+dCv +hTjcC6f8j+BOy7zHYfyBnPGgSjKph9gjHyBEZiujPNkNmDXM+Mz7YeEd5HCtt1p55SBv6 wyePMAjf40ty7xcakj0Gk8c52W5yFwQjJw5EvruYW2s/1eNDXIY1IJOQKlUgOEQfon99a/ 8NO0BWLNiSCNdr3uHFkr68jeusASRWWvfxYU6uZ9c= ---- END SSH2 PUBLIC KEY ----6. Create authorization file on the remote-host as shown below. This autorization file should contain the name of the public key that was copied from local-host to remote-host as mentioned in the previous step. Please note that the format of this file is “Key {public-key file-name}“.
[remote-host]$ cat /home/jsmith/.ssh2/authorization Key id_dsa_2048_b.pub7. Login from the local-host to remote-host using the SSH2 key authentication to verify whether it works properly.
[local-host]$ ssh -l jsmith remote-host <You are on local-host here> Passphrase for key "/home/jsmith/.ssh2/id_dsa_2048_b" with comment "2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:20 -0700": <Enter your passphrase here> Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102 No mail. [remote-host]$ <You are on remote-host here>There are two ways to perform ssh and scp without entering the password:
- No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
- Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
8. Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.
[local-host]$ ssh-agent $SHELL9. Load the private key to the SSH agent on the local-host.
[local-host]$ ssh-add Adding identity: /home/jsmith/.ssh2/id_dsa_2048_b.pub Need passphrase for /home/jsmith/.ssh2/id_dsa_2048_b (2048-bit dsa, jsmith@local-host, Sat Jun 22 2008 23:10:20 -0700). Enter passphrase: <Enter your passphrase here>10. Perform SSH or SCP to remote-home from local-host without entering the password.
[local-host]$<You are on local-host here> [local-host]$ ssh -l jsmith remote-host Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102 No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>
6050
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
