Monday, November 2, 2009

Quick login with SSH and SSHMenu

Often I use ssh for remote servers control. I must remember a lots of password. I decided solve the problem. For login to servers I will use client certificate and applet SSHmenu.


First I generate the certificate in my personal notebook:

/usr/bin/ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/tomas/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tomas/.ssh/id_rsa.
Your public key has been saved in /home/tomas/.ssh/id_rsa.pub.
The key fingerprint is:
e0:40:a5:2b:b9:ba:24:ae:a3:bb:fe:30:9a:81:30:c6 tomas@homer
The key's randomart image is:
+--[ RSA 2048]----+
| ... |
| . . |
| o . |
|. . + . |
|oEo . . S |
|+. o |
|++. |
|*+o |
|&B.. |
+-----------------+

For question: Enter file in which to save the key I push enter and for question:Enter passphrase I push enter too. I want certificate out of passphrase, but it is not recommended using a private key without a passphrase. (see comments of grantmclean below article)

In folder /home/tomas/.ssh I find files.

-rw------- 1 tomas tomas 1675 2009-11-02 17:43 id_rsa
-rw-r--r-- 1 tomas tomas 392 2009-11-02 17:43 id_rsa.pub

You notice files permission and owner. It is important.


Now is neccessary copy public certificate(id_rsa.pub) from personal notebook to server. After advice of grantmclean (in comments) I use for copy command ssh-copy-id

/usr/bin/ssh-copy-id jurman@akela.cz

Now I set values for ssh daemon in server in file /etc/ssh/sshd.config. In config file I rewrite following rows:

# allow used public rsa certificate (only for protocol 2)
PubkeyAuthentication yes

# deny root login
PermitRootLogin no

# deny password authentication
PasswordAuthentication no

I restart ssh daemon and try login from my notebook to server:

ssh jurman@akela.cz

If I don´t fill the passphrase then I must not write password. Now I am login to server.

Now I can copy the public certificate in other servers too. Your private certificate(id_rsa) You must protect very well. (see comments of grantmclean below article)

In my notebook I install this applet SSHmenu. After setting this applet I can login to server from my notebook in one click.

1 comment:

  1. I really don't recommend using a private key without a passphrase - if someone steals your computer then they'll be able to log on to any computer where you have installed your public key. Even if you set up a key with a passphrase, you can still get passwordless logins - after you enter your passphrase once, the SSH agent on your computer will remember it so you don't have to type it in again.

    Also the ssh-copy-id command can be used to copy your public key to a server and install it in the correct file with the correct permissions. There is no need to change the configuration for the 'AuthorizedKeysFile'.

    See the instructions here: http://sshmenu.sourceforge.net/articles/key-setup.html

    ReplyDelete