This a real time example of configuring
password less access for two users . The user ‘web’ in this case needs a secure
password less access to another user suresh in a server ‘onlinetraining’
.
.
Follow the Steps to configure secure password less
access
Check the current ssh connectivity status for suresh@onlinetraining from localhost
[web@localhost ~]$ ssh suresh@onlinetraining
suresh@onlinetraining’s password:
Permission denied, please try again.
As expected it prompted for password
suresh@onlinetraining’s password:
Permission denied, please try again.
As expected it prompted for password
1. Generate the public key private key
pair
Generate the public key private key pair for the local host as following , Press enter for default file names and no
pass phrase options. The command here generates RSA type keys.
Generate the public key private key pair for the local host as following , Press enter for default file names and no
pass phrase options. The command here generates RSA type keys.
[web@localhost ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/web/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/web/.ssh/id_rsa.
Your public key has been saved in /home/web/.ssh/id_rsa.pub.
The key fingerprint is:
5e:30:d3:1a:00:c5:0b:29:96:ac:3e:42:20:dc:af:38 web@localhost.localdomain
Generating public/private rsa key pair.
Enter file in which to save the key (/home/web/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/web/.ssh/id_rsa.
Your public key has been saved in /home/web/.ssh/id_rsa.pub.
The key fingerprint is:
5e:30:d3:1a:00:c5:0b:29:96:ac:3e:42:20:dc:af:38 web@localhost.localdomain
You can run the command ssh-keygen from any
directory but the id files will be generated in .ssh dir of user’s home
directory.
2. Change directory to .ssh directory.
[web@localhost ~]$ cd /home/web.ssh
You will see two files starting with id_rsa. id_rsa is the private key and id_rsa.pub is public key. Check the date time stamp of these files to make sure these are the ones you generated recently.
You will see two files starting with id_rsa. id_rsa is the private key and id_rsa.pub is public key. Check the date time stamp of these files to make sure these are the ones you generated recently.
/.ssh[web@localhost .ssh]$ ls -la
total 32
drwx—— 2 web web 4096 Dec 7 22:05 .
drwx—— 34 web web 12288 Dec 7 22:04 ..
-rw——- 1 web web 1675 Dec 7 22:05 id_rsa
-rw-r–r– 1 web web 407 Dec 7 22:05 id_rsa.pub
-rw-r–r– 1 web web 391 Dec 7 22:03 known_hosts
total 32
drwx—— 2 web web 4096 Dec 7 22:05 .
drwx—— 34 web web 12288 Dec 7 22:04 ..
-rw——- 1 web web 1675 Dec 7 22:05 id_rsa
-rw-r–r– 1 web web 407 Dec 7 22:05 id_rsa.pub
-rw-r–r– 1 web web 391 Dec 7 22:03 known_hosts
/.ssh[web@localhost .ssh]$ date
Tue Dec 7 22:05:45 PST 2010
Tue Dec 7 22:05:45 PST 2010
3. Copy the rsa public key to the remote
host . You have to copy the
public key file in to .ssh of the user home directory and if .ssh directory is
not there , create it as in the example below.
You need to enter sftp/ssh password .
You need to enter sftp/ssh password .
/.ssh[web@localhost .ssh]$ sftp suresh@onlinetraining
Connecting to onlinetraining…
suresh@onlinetraining’s password:
sftp> pwd
Remote working directory: /home/suresh
sftp> cd .ssh
Couldn’t canonicalise: No such file or directory
sftp> mkdir .ssh
sftp> cd .ssh
sftp> put id_rsa.pub
Uploading id_rsa.pub to /home/suresh/.ssh/id_rsa.pub
id_rsa.pub 0% 0 0.0KB/s –:– ETAid_rsa.pub 100% 407 0.4KB/s 00:00
sftp>
Connecting to onlinetraining…
suresh@onlinetraining’s password:
sftp> pwd
Remote working directory: /home/suresh
sftp> cd .ssh
Couldn’t canonicalise: No such file or directory
sftp> mkdir .ssh
sftp> cd .ssh
sftp> put id_rsa.pub
Uploading id_rsa.pub to /home/suresh/.ssh/id_rsa.pub
id_rsa.pub 0% 0 0.0KB/s –:– ETAid_rsa.pub 100% 407 0.4KB/s 00:00
sftp>
4. login to the remote host with
password
Once file is copied over , login to the remote
host using ssh and password and go to .ssh directory under user home directory.
/.ssh[web@localhost .ssh]$ ssh suresh@onlinetraining
suresh@onlinetraining’s password:
/.ssh[web@localhost .ssh]$ ssh suresh@onlinetraining
suresh@onlinetraining’s password:
suresh@onlinetraining:~[suresh@onlinetraining
~]$ cd .ssh
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining .ssh]$ pwd
/home/suresh/.ssh
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining .ssh]$ pwd
/home/suresh/.ssh
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining
.ssh]$ ls -l
total 4
-rw-r–r– 1 suresh suresh 407 Dec 7 22:06 id_rsa.pub
total 4
-rw-r–r– 1 suresh suresh 407 Dec 7 22:06 id_rsa.pub
5. Rename the public key file to
authorized_keys ;
if the authorized_keys file already exists then append the new keys to the existing file using,
cat id_rsa.pub >> authorized_keys .
Don’t use vi or editor to open , append and save these key files as any extra character/newline would corrupt these files.
if the authorized_keys file already exists then append the new keys to the existing file using,
cat id_rsa.pub >> authorized_keys .
Don’t use vi or editor to open , append and save these key files as any extra character/newline would corrupt these files.
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$
mv id_rsa.pub authorized_keys
You can see the contents using cat command
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArVWhE0L2FXNvmggZgqmGU
LVrcE4X7WQr6scSuU5FCQUsXzYjyOL8FbUIIkBeLLMIrV7mYa+
xuszHcvnAho/42/e4r5by8LVMyh0AAo7nketemkO/2ZiUXZhww7tySxgcI5U5L5PDmTCyF7vxLlJ0rGb7Ky//DtpKrBui5P4gIrKBeiA2TlbEL9UrQZ8HgTU3iSGtfUXH0O
26iLSWi6Tf40hEazvvVYESHPSBjUPIMqUGabtz1kKMDQB5x
C+F2MZ4lUCmgK2NexrhVWOrp7ODS1GlKsjSv6NSxOIVW0je
V00ZW9Fvgz865g+fakBITqYP76ptPIVXEps+91ABRSwggQ== web@localhost.localdomain
You can see the contents using cat command
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArVWhE0L2FXNvmggZgqmGU
LVrcE4X7WQr6scSuU5FCQUsXzYjyOL8FbUIIkBeLLMIrV7mYa+
xuszHcvnAho/42/e4r5by8LVMyh0AAo7nketemkO/2ZiUXZhww7tySxgcI5U5L5PDmTCyF7vxLlJ0rGb7Ky//DtpKrBui5P4gIrKBeiA2TlbEL9UrQZ8HgTU3iSGtfUXH0O
26iLSWi6Tf40hEazvvVYESHPSBjUPIMqUGabtz1kKMDQB5x
C+F2MZ4lUCmgK2NexrhVWOrp7ODS1GlKsjSv6NSxOIVW0je
V00ZW9Fvgz865g+fakBITqYP76ptPIVXEps+91ABRSwggQ== web@localhost.localdomain
6. Change the key file and directory
permissions
ssh is very sensitive to permissions so you
have to change the key file and directory permissions for it to work.
6a : Change authorized_keys to 600 permissions
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$ chmod 600 authorized_keys
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$ ls -ltr
total 8
-rw-r–r– 1 suresh suresh 407 Dec 7 22:06 id_rsa.pub
-rw——- 1 suresh suresh 407 Dec 7 22:08 authorized keys
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$ chmod 600 authorized_keys
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining.ssh]$ ls -ltr
total 8
-rw-r–r– 1 suresh suresh 407 Dec 7 22:06 id_rsa.pub
-rw——- 1 suresh suresh 407 Dec 7 22:08 authorized keys
[mailto:suresh@onlinetraining:~/.ssh%5bsuresh@onlinetraining]suresh@onlinetraining:~/.ssh[suresh@onlinetraining
.ssh]$ cd ..
6b : Change .ssh directory to 700 permission
suresh@onlinetraining:~[suresh@onlinetraining ~]$ chmod 700 .ssh
suresh@onlinetraining:~[suresh@onlinetraining ~]$ chmod 700 .ssh
6c :Verify permissions and log out .
suresh@onlinetraining:~[suresh@onlinetraining ~]$ logout
Connection to localhost closed.
suresh@onlinetraining:~[suresh@onlinetraining ~]$ logout
Connection to localhost closed.
8. Moment of truth : Try a ssh
/.ssh[web@localhost .ssh]$ ssh suresh@onlinetraining
Last login: Tue Dec 7 22:07:04 2010 from localhost.localdomain
suresh@onlinetraining:~[suresh@onlinetraining ~]$ pwd
/home/suresh
/.ssh[web@localhost .ssh]$ ssh suresh@onlinetraining
Last login: Tue Dec 7 22:07:04 2010 from localhost.localdomain
suresh@onlinetraining:~[suresh@onlinetraining ~]$ pwd
/home/suresh
Here we have no password secure access working
.
The most common problems can be
The most common problems can be
1. Incorrect permission for .ssh and
authorized_keys file
2. Corrupt key file , regenerate and copy
again.