Wednesday, December 14, 2011

Adding SSH keys to automate login

So we want the mybooks to autologin using a long keyfile. Later on we will remove the option to log in using a password for the SSH setup (basically hardening the SSH setup).

Start on Nebula.despro.lan. We need to repeat this procedure on Orion.despro.lan.

On Nebula.despro.lan

Let's move over to the special .ssh directory

root@nebula:~# cd ~
root@nebula:~# cd .ssh/
root@nebula:~/.ssh# ls -1
root@nebula:~# touch authorized_keys
Next generate a SSH keypair: ssh-keygen -b 4096 -N '' -t rsa -f id_rsa
root@nebula:~# ssh-keygen -b 4096 -N '' -t rsa -f id_rsaGenerating public/private rsa key pair.Your identification has been saved in id_rsa.Your public key has been saved in key fingerprint is:90:74:ae:c9:24:7f:4c:46:3f:08:77:54:1b:23:d9:fb root@Nebula

root@nebula:~/.ssh# ls -1
id_rsa ? private key ? public key

ssh-keygen -b 4096 -N '' -t rsa -f id_rsa This command generates a new long keyfile with NO passphrase, filetype RSA and filename id_rsa. This will take a couple of minutes, so please be patient with your computer, it's a slow little computer you know. When done you should have two new files called id_rsa and This is a SSH keypair, both a public key and a private key. So now we copy over the public keyfile from the Nebula.despro.lan to Orion.despro.lan.

Execute the next four commands.
ssh root@Orion.despro.lan 'mkdir .ssh'cat ~/.ssh/ | ssh root@Orion.despro.lan 'cat >> .ssh/authorized_keys'ssh root@Orion.despro.lan 'chmod -R go-rwx .ssh'ssh root@Orion.despro.lan 'chmod go-rwx ~'

Or Copy from Nebula.despro.lan (ssh Client) to Orion.despro.lan (ssh Server) using rsync, scp or ssh-copy-id.

for Rsync
root@nebula:~/.ssh# rsync -i root@orion.despro.lan:/tmproot@nebula:~/.ssh# ssh root@orion.despro.lanroot@orion.despro.lan's password: *****
Now You are inside Orion.despro.lan
root@orion:~/.ssh# cat /tmp/ >> /root/.ssh/authorized_keys
for ssh-copy-id
root@nebula:~/.ssh# ssh-copy-id -i ~/.ssh/ orion.despro.lan
root@orion.despro.lan's password: *****
Now try logging into the machine, with "ssh 'orion.despro.lan'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. And ssh-copy-id will copy your public key into the authorized_keys file of your user on that remote system. From now on when you ssh to that system, you won’t need to enter a password.

Final Step
root@Orion:~/ chmod -R go-rwx .ssh
root@Orion:~/ chmod go-rwx ~
Now trying to ssh to the Orion.despro.lan, you should now login to Orion.despro.lan without password.
Now go back to the beginning, log on to Orion.despro.lan and repeat this procedure of generating keys and copying the public key over to Nebula.despro.lan. When you have keys generated on both boxes, and copied over the public key into the authorized_keys. Now you should be able to log on using ssh without the need to enter a password, instead the private key is used to authenticate the session.

Rsync via ssh-automatic-logon
and type in remoteuser@remotehost's password when prompted. I do need to make sure that remoteuser has read permissions to /remote/dir/ on remotehost, and that thisuser has write permissions to /this/dir/ on thishost. Also, 'rsync' and 'ssh' should be in this user's path (use "which ssh" and "which rsync"), 'rsync' should be in remoteuser's path, and 'sshd' should be running on remotehost.

$ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /this/dir/

Referensi Referensi 01

No comments: