Tuesday, April 10, 2012

Multiple passowrdless ssh logins


We have discussed the passwordless authentication or passwordless logins in our previous post. But what if you have to allow more than one hosts to login to a server without password? Then you have to add the dsa/rsa keys of the initiator servers to the destination server authorized_keys file.
Suppose we have three systems A,B abd C. And we want to login to system C without password from A and B.

All we have to do is

1. Generage dsa/rsa key in system A and copy that to authorized_keys file of C.
2. Generate dsa/rsa key in system B and APPEND that key to the authorized_key file of C.

Generating the key in system A:
[root@nagios ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
14:13:25:f1:c6:ed:51:c6:08:a4:3f:af:eb:2c:80:97 root@nagios.lap.work

Copying the key to the authorized_keys of system C:
[root@nagios ~]# scp /root/.ssh/id_rsa.pub 192.168.137.85:/root/.ssh/authorized_keys
The authenticity of host '192.168.137.85 (192.168.137.85)' can't be established.
RSA key fingerprint is 63:6d:4a:08:b4:b4:19:3c:d0:58:f3:60:8a:ec:7a:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.137.85' (RSA) to the list of known hosts.
root@192.168.137.85's password:
id_rsa.pub                                                                              100%  402     0.4KB/s   00:00
[root@nagios ~]#

Checking the key from the system C:
[root@test ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAydSsh5wlG/lvWFeZcI+Rlxr2hTWJ4diU7b1/OsDWE72goA72eIx+tfzg6/aT4vPbWA8GC8arK6XxLOWJbv2Y5tFRGmXwn+Trw3RzWOHFT76NTv6NP+SCvBciwTr55Tt6jIgGrVu6f/pBvU8tIgctu/5efH611w/pToIJbezlooJ/1GGWaydEc3eTJernwzia5UMEsRGIztT6GN8zqkVtKIRhql3y2lQjgg3jA4ceAXwJ8h49xFuo8ZIEo4mWmEwW8Kn2VaTnJVh/YsO7tMRs8KsWXonbTm0vtD2OQv59Lswjs5fMmBv0EGZJvZ3uDypQw/IH33MWKbAotwQ1fewbiw== root@nagios.lap.work
[root@test ~]#

Now creating the key in system B:
[root@server ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
5e:7f:e6:bc:3e:bc:9f:65:2f:b3:95:89:d6:0e:9d:5f root@server.lap.work
[root@server ~]#

Now APPENDING (Do not copy it will overwrite the key of the system A) the key of system B to the authorized_keys of system C:
First we will copy the key to a file abc.txt in system C.
Then we will append the file abc.txt to athorized_keys of system C.

[root@server ~]# scp /root/.ssh/id_rsa.pub 192.168.137.85:/root/.ssh/abc.txt
The authenticity of host '192.168.137.85 (192.168.137.85)' can't be established.
RSA key fingerprint is 63:6d:4a:08:b4:b4:19:3c:d0:58:f3:60:8a:ec:7a:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.137.85' (RSA) to the list of known hosts.
root@192.168.137.85's password:
id_rsa.pub                                                                              100%  402     0.4KB/s   00:01
[root@server ~]#

Now in system C:
[root@test ~]# cat .ssh/abc.txt
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAys2LlRFyQZay+9QWaCT6mS7gmM6qN0GzCGM7AXAMlEDWHUSmXSC9EPih4uOAGH6IWGqRk7EVerVEMq39vVchDAE5B3nMofQkc2fAlC9Ct/5+TirQaQxmHCN0If6O+RlO4F3hVhqX7d0ZNjJhvWLezRXsXkZY+g0215nd+qeZSz39N8NtkKBuuYW7LFdEU8dmiUaFrUjkBpZYuP5THaGqD/wZr8Pxf7t/MIpRbkuleP7b6S8kEreR9AdDX5DWJOy3qqxZzJVfXgYH6wq/MDuY14X+p1zJjzqQRV8cD7rA2Q8WQy4R7oBAJvZk9Q5gkyt50rDfiMXLPYF1myrfo/kDpQ== root@server.lap.work
[root@test ~]#

Appending the key in the file abc.txt to authorized_keys
[root@test ~]# cat .ssh/abc.txt >> .ssh/authorized_keys

Now checking the authorized_keys:
[root@test ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAydSsh5wlG/lvWFeZcI+Rlxr2hTWJ4diU7b1/OsDWE72goA72eIx+tfzg6/aT4vPbWA8GC8arK6XxLOWJbv2Y5tFRGmXwn+Trw3RzWOHFT76NTv6NP+SCvBciwTr55Tt6jIgGrVu6f/pBvU8tIgctu/5efH611w/pToIJbezlooJ/1GGWaydEc3eTJernwzia5UMEsRGIztT6GN8zqkVtKIRhql3y2lQjgg3jA4ceAXwJ8h49xFuo8ZIEo4mWmEwW8Kn2VaTnJVh/YsO7tMRs8KsWXonbTm0vtD2OQv59Lswjs5fMmBv0EGZJvZ3uDypQw/IH33MWKbAotwQ1fewbiw== root@nagios.lap.work
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAys2LlRFyQZay+9QWaCT6mS7gmM6qN0GzCGM7AXAMlEDWHUSmXSC9EPih4uOAGH6IWGqRk7EVerVEMq39vVchDAE5B3nMofQkc2fAlC9Ct/5+TirQaQxmHCN0If6O+RlO4F3hVhqX7d0ZNjJhvWLezRXsXkZY+g0215nd+qeZSz39N8NtkKBuuYW7LFdEU8dmiUaFrUjkBpZYuP5THaGqD/wZr8Pxf7t/MIpRbkuleP7b6S8kEreR9AdDX5DWJOy3qqxZzJVfXgYH6wq/MDuY14X+p1zJjzqQRV8cD7rA2Q8WQy4R7oBAJvZk9Q5gkyt50rDfiMXLPYF1myrfo/kDpQ== root@server.lap.work
[root@test ~]#

Now checking the passwordless login from A to C
[root@nagios ~]# ssh 192.168.137.85 ls
anaconda-ks.cfg
Desktop
install.log
install.log.syslog
[root@nagios ~]#

Now checking the passwordless login from B to C
[root@server ~]# ssh 192.168.137.85 ls
anaconda-ks.cfg
Desktop
install.log
install.log.syslog
[root@server ~]#

You should not expose the keys to others. My system is for testing use and the domain is private. That is why I don't mind to share them.


No comments:

Post a Comment