OpenSSH? passwordless connections, the quick way
I have used that for a while, and it is time to write down some lines about it. This tip is inspired by three articles from Daniel Robbins, Chief Architect of Gentoo_ Linux. Daniel is an habitual writter on the Developersworks columns from IBM, where he has writted parts 1, 2 and 3 of a series covering OpenSSH key management. I will focus this tip on how to get OpenSSH to authenticate us between 2 hosts without promting a password, covering both RSA and DSA algorithms to perform the autentication. I will cover some explanations on RSA and DSA themselves (without too much details) and which is, in my oppinion the preferred one. The host are both running FreeBSD, but it would be applicable almost the same way if the boxes were OpenBSD, NetBSD, Linux_ or whatever unix-like system with OpenSSH on it. First, let's check the systems, the hosts are so called Silence and wyrmslayer, both with FreeBSD, as I have said before, and OpenSSH:
[Silence] ~> uname -ap FreeBSD Silence.codigo23.net 5.3-STABLE FreeBSD 5.3-STABLE #1: Mon Dec 13 17:30:21 CET 2004 wu@Silence.codigo23.net:/usr/obj/usr/src/sys/SILENCE i386 i386 [Silence] ~> ssh -v OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 [Silence] ~> <wyrmslayer ~ > uname -ap FreeBSD wyrmslayer.e-shell.org 5.4-STABLE FreeBSD 5.4-STABLE #2: Tue May 10 18:18:35 CEST 2005 email@example.com:/usr/obj/usr/src/sys/WYRMSLAYER i386 i386 <wyrmslayer ~ > ssh -v OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004 <wyrmslayer ~ >
Nice, both boxes have the same OpenSSH version installed (note the p from portable), compiled against different OpenSSL versions, but this will be not a problem. In this case, Silence will be the host I want to connect to, while wyrmslayer will be the host from where I try to connect.
From the Wikipedia:
In cryptography, RSA is an algorithm for public key encryption. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is still widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys.
It is a wide-spread algorithm, supported by both SSH protocol 1 and SSH protocol 2. Most https secure web servers out there use this algorithm to encrypt data, and it is perhaps the most common algorithm used in server certificates generation for most services (smtps, pop3s, imaps, etc). In order to use RSA authentication with OpenSSH?, we will need to generate a pair of public and private keys. The public key is used to encrypt data, while the private key is used to decrypt such data. The trick here is copy the public key to the host we want to authenticate to, while keeping our private key in our host. So, when we try to log in, the server, instead of asking us for a password, will use the public key to encrypt some data, then it sends such data to our host, which decrypts the data and resends it to the first host. This way the first host assumes our host has the proper private key, allowing us to log in without having to type a password.
Let's see the picture:
<wyrmslayer ~ > ssh-keygen -t rsa -b 1536 Generating public/private rsa key pair. Enter file in which to save the key (/home/wu/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wu/.ssh/id_rsa. Your public key has been saved in /home/wu/.ssh/id_rsa.pub. The key fingerprint is: f5:04:69:fd:4b:d7:d1:21:79:71:ba:29:4e:d8:bd:64 firstname.lastname@example.org <wyrmslayer ~ > ls -l /home/wu/.ssh/ total 12 -rw------- 1 wu users 1273 May 12 00:44 id_rsa -rw-r--r-- 1 wu users 319 May 12 00:44 id_rsa.pub -rw-r--r-- 1 wu users 6691 May 6 19:18 known_hosts <wyrmslayer ~ >
The -t parameter tells ssh-keygen to generate a pair (public and private) of RSA keys, while the -b parameter sets the number of bits in the key, default value is 1024, which is considered secure enough so, why 1536?, 512b + for the paranoid... (you will see why if you keep reading). Take care of the Enter passphrase (empty for no passphrase): line. You could suply a passphrase here, which will be used to encrypt the private key. It would seems a good idea to secure our key, because if someone gets our key, but he/she/it doesn't know the passphrase, he/she/it will not be able to use it, but encrypting our private key with a passphrase will force us to provide the passphrase each time we need to use the key... and... you know what? we are trying to authenticate us without having to provide a password, isn't it? So, no passphrases here... Ok, so now we have our private key (id_rsa) and our public key (id_rsa.pub). The next step is copy the public key into the remote host, inside the home of the user we are going to log in as:
<wyrmslayer ~ > scp /home/wu/.ssh/id_rsa.pub wu@Silence:/home/wu/.ssh/id_rsa_wyrmslayer Password: id_rsa.pub 100% 319 0.3KB/s 00:00 <wyrmslayer ~ >
Then, as the user in the remote box, we add the public key to a list of authorized keys:
[Silence] ~/.ssh> ls -l total 16 -rw-r--r-- 1 wu users 319 12 may 02:12 id_rsa_wyrmslayer.pub -rw-r--r-- 1 wu users 13330 4 abr 19:19 known_hosts [Silence] ~/.ssh> cat id_rsa_wyrmslayer.pub > authorized_keys [Silence] ~/.ssh> ls -l total 18 -rw-r--r-- 1 wu users 319 12 may 02:16 authorized_keys -rw-r--r-- 1 wu users 319 12 may 02:12 id_rsa_wyrmslayer.pub -rw-r--r-- 1 wu users 13330 4 abr 19:19 known_hosts [Silence] ~/.ssh> cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAMEAvp+dCCgUT2TuB5Z5cT5b3YHaeXheRYvq64 Np5U7g8nrsY9H7mstVyxxWC6ifv/jnDsCg79XvK9WoT0mJPGH9RXDge2ImO/f1vu1wlfCr 2Q3ttjZK+8UzpTaBJe+Wu4KAWQkn29goAzPazgO77LQ+rgiROtl4hw5nHsKcnwWXZ79ZAZ YFy2xnrhrfmmj2sn5mWIMSdjpeuJhP5fRa6xhNeWDUnyCvWRJK+23BzJmLJQ5vm1KaAk9Q X0FRCWRCd7wh email@example.com [Silence] ~/.ssh>
And et voilá, next time we log into Silence from wyrmslayer as the user wu, no password prompts will appear:
<wyrmslayer ~ > ssh wu@Silence Last login: Thu May 12 00:58:35 2005 from 10.0.0.2 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.3-STABLE (SILENCE) #1: Mon Dec 13 17:30:21 CET 2004 Welcome to FreeBSD! _________ .___.__ ________ ________ _ ___ ____ __| _/|__| ____ ____ _____ _____ / / / _ / __ | | |/ ___ / _ / ____/ _(__ < ___( <_> ) /_/ | | / /_/ > <_> ) / ______ /____/____ | |_____ / ____/_______ /______ / / / /_____/ / / -- Internet Services server -- Want to know how many words, lines, or bytes are contained in a file? Type "wc filename". -- Dru [Silence] ~>
From the Wikipedia article:
The Digital Signature Algorithm (DSA) is a United States Federal Government standard for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS), specified in FIPS 186, adopted in 1993. A minor revision was issued in 1996 as FIPS 186-1, and the standard was expanded further in 2000 as FIPS 186-2.
DSA is designed specifically to sign certificates, but due to a patent covering it until 1991, it was avoided in many cases. Only SSH protocol 2 supports DSA signed keys.
The way to use a DSA key to set the passwordless authentication is the very same as the RSA process. First you create a pair of public and private keys, then you have to copy the public key to the remote host and set the authorized_keys file in order to show sshd which keys are authorized.:
<wyrmslayer ~ > ssh-keygen -t dsa -b 1280 Generating public/private dsa key pair. Enter file in which to save the key (/home/wu/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wu/.ssh/id_dsa. Your public key has been saved in /home/wu/.ssh/id_dsa.pub. The key fingerprint is: a5:22:10:f5:0e:41:1a:4e:8f:c2:f7:a1:30:4c:1b:c7 firstname.lastname@example.org <wyrmslayer ~ > ls -l /home/wu/.ssh/ total 16 -rw------- 1 wu users 798 May 12 23:11 id_dsa -rw-r--r-- 1 wu users 743 May 12 23:11 id_dsa.pub -rw------- 1 wu users 1273 May 12 00:44 id_rsa -rw-r--r-- 1 wu users 319 May 12 00:44 id_rsa.pub -rw-r--r-- 1 wu users 6691 May 6 19:18 known_hosts <wyrmslayer ~ > scp /home/wu/.ssh/id_dsa.pub wu@Silence:/home/wu/.ssh/id_dsa_wyrmslayer.pub Password: id_dsa.pub 100% 743 0.7KB/s 00:00 <wyrmslayer ~ > ssh -l wu Silence Password: Last login: Fri May 13 00:18:33 2005 from 10.0.0.2 ... (stripped) ... [Silence] ~/.ssh> ls -l total 18 -rw-r--r-- 1 wu users 743 13 may 00:32 id_dsa_wyrmslayer.pub -rw-r--r-- 1 wu users 319 12 may 02:12 id_rsa_wyrmslayer.pub -rw-r--r-- 1 wu users 13330 4 abr 19:19 known_hosts [Silence] ~/.ssh> cat id_dsa_wyrmslayer.pub >> authorized_keys [Silence] ~/.ssh> ls -l total 20 -rw-r--r-- 1 wu users 743 13 may 00:37 authorized_keys -rw-r--r-- 1 wu users 743 13 may 00:32 id_dsa_wyrmslayer.pub -rw-r--r-- 1 wu users 319 12 may 02:12 id_rsa_wyrmslayer.pub -rw-r--r-- 1 wu users 13330 4 abr 19:19 known_hosts [Silence] ~/.ssh> cat authorized_keys ssh-dss AAAAB3NzaC1kc3MAAAChANUuE+2RpJH7xK5Jc+OsKFYQQ83E+FPuaUJlYkkCTz vHXTbYT61i9fQhrrOwQG2K5LqcxPxlgUKFRMkawNZ6hfV8hslLj9/yAy8Kj5fX7MyS7NQP 7S9Uzx/LftbnaBC0bYodawMn7TGB1/rP+BmiAd5VuP24C8VUG/ptRRFjwbiKhD0AYzlRWx Vc8+aWy0Lz+zR1rllLnyvV9RtU1FJqsx0AAAAVAItFLq6ipdg+1DkYrrwYx56kSCQbAAAA oDSg/3MX3iMnYa0b44oiz6FKyaIz6g0DFgcp8h8QknvAqRH3QyHZ9IJaBZmdCjfWSKCw8H pilhKuSSg/8iFcn1Ug+nJ25DmUtUP0ZkEkQS2q+lTtVJxaulfJHX6mqnhgS1wW9lRt04Qy LfdeU70+XUy6jt2Eg2zTZ2U0ixgEIIYHhOcID263yByvLK3pyvhaqpSpAYjDBGllgeIQZ4 k3sxkAAACgObvs9BKdq114fFO+khrVRj2nmZRIdFT2SCkxfhkAau1uwwVJerDHRbuZ4wLt 03W4Iq2wHpqkmswa+mC0O7uedkyYheeDJ7WEBQOp5x2ZQ2MhVL8VAe91Xn7vczRSA6U2Nz IVRsQAMVjje0QFVIPNMh8rzW1PUSpgYuSvpz692vlaoiQ/2ndSjU6ZySOE4wzLJjgWPUBS VHPpMySZndGiTg== email@example.com [Silence] ~/.ssh>
And once again, you can log in to the remote host without having to supply a password.
Ok, at this point it is possible that you have the same thoughts as me, which one is the best signing algorithm?, which one may I use?.
It is difficult to answer such a question, but perhaps this link help you a lot. There, Adrian Bocaniciu explains some interesting things about both RSA and DSA, and what use he in which situations.
The two links I have provided from the Wikipedia have a lot of information and links that points to more sites about this digital signature algorithms.
And finally, if you are very interested in RSA and DSA in particular, and cryptography in general, let me suggest you to buy this book, and this one and probably this one too (this one has a nice chapter about DSA).
Let me finish the tip with an advice, this is a quick method to get passwordless authentication with OpenSSH?, but it is not the best one, keep in mind that if someone breaks into your local host account, direct access will be granted to the attacker on the remote host!.
Fortunately, there is a way to get a more secure approach, but that is another story...