From Wiki-UX.info

How to config SSH to log in without typing password
Jump to: navigation, search

How to config SSH to log in without typing password

Abstract

This document is based on a Tek-tips forum January 2005 post (http://www.tek-tips.com/faqs.cfm?fid=5600). The current follows the same steps detailed on the post on live HP-UX systems. The required file user permissions are made more explicit. Instead of the user account, this example uses "amarin" user account instead.

For the example, the master server is "delta" running HP-UX 11i v3 will allow account "amarin" from client "crrp4440" running HP-UX 11.23 to log in without requesting the account password. Both servers relay on /etc/hosts entries for IP address resolution, but DNS may be more common.

Configure SSH

1. Verified that "amarin" user account exist on both "delta" and "crrp4440" servers and have the correct access permission "0755":

# [amarin@crrp4440.cri.hp.com] / > ll -d /home/amarin
drwxr-xr-x   2 amarin     users         8192 Apr 30 11:09 /home/amarin

2. Install HP-UX Secure Shell software on both servers.

3. Log in using ssh to master server (delta) to get it’s key fingerprint into client (crrp4440) /.ssh/amarin/known_hosts file:

[amarin@crrp4440.cri.hp.com] / > ssh delta
The authenticity of host 'delta (16.90.48.75)' can't be established.
RSA key fingerprint is 6b:55:d6:df:bb:ff:4f:f9:f2:d8:a9:ff:fd:25:10:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'delta,16.90.48.75' (RSA) to the list of known hosts.
Password:
Last successful login:       Wed Apr 30 15:45:12 MDT 2008 crrp4440.cri.hp.com
Last authentication failure: Wed Apr 30 15:31:44 MDT 2008 crrp4440.cri.hp.com
Last login: Wed Apr 30 15:45:12 2008 from crrp4440.cri.hp.com
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993  The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2006 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
 
Confidential computer software. Valid license from HP required for
possession, use or copying.  Consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
 
[amarin@delta] / >

4. Log in using ssh from master server (delta) to get client key fingerprint into it’s /.ssh/amarin/known_hosts file:

[amarin@delta] / > ssh crrp4440
The authenticity of host 'crrp4440 (16.90.48.69)' can't be established.
RSA key fingerprint is 2b:79:8d:30:f4:8f:f5:fc:41:92:c9:d7:6f:97:2e:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'crrp4440,16.90.48.69' (RSA) to the list of known hosts.
Password:
Last login: Wed Apr 30 10:47:13 2008 from delta.cri.hp.co
(c)Copyright 1983-2003 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993  The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2003 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
 
 
                  RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.
 
 
                  Hewlett-Packard Company
                  3000 Hanover Street
                  Palo Alto, CA 94304 U.S.A.
 
Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).
[amarin@crrp4440.cri.hp.com] / >

5. Log off of your server and then off of aster server to get back to original login shell:

[amarin@crrp4440.cri.hp.com] / > exit
logout
Connection to crrp4440 closed.
 
[amarin@delta] / > exit
logout
Connection to delta closed.
[amarin@crrp4440.cri.hp.com] / >


6. Change directory to the $HOME/.ssh directory on the client (crrp4440) and generate "dsa" and "rsa" key pairs:

[amarin@crrp4440.cri.hp.com] / > pwd
/home/amarin
[amarin@crrp4440.cri.hp.com] / > cd .ssh
[amarin@crrp4440.cri.hp.com] / > ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/amarin/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/amarin/.ssh/id_dsa.
Your public key has been saved in /home/amarin/.ssh/id_dsa.pub.
The key fingerprint is:
28:f6:cf:4d:f0:56:da:a0:dc:77:8b:e3:bf:a3:0e:b9 amarin@crrp4440.cri.hp.com
 
[amarin@crrp4440.cri.hp.com] / > ssh-keygen -t rsa
Generating public/private rsa key pair.
Please be patient....   Key generation may take a few minutes
Enter file in which to save the key (/home/amarin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/amarin/.ssh/id_rsa.
Your public key has been saved in /home/amarin/.ssh/id_rsa.pub.
The key fingerprint is:
b9:a4:14:98:f9:f7:1e:ec:35:58:6b:50:cc:cb:4f:e9 amarin@crrp4440.cri.hp.com
[amarin@crrp4440.cri.hp.com] / >

7. Copy Client server's public key to the master server (delta):

[amarin@crrp4440.cri.hp.com] / > scp id_dsa.pub delta:/home/amarin/.ssh/crrp4440_dsa_pub
Password:
id_dsa.pub                                                              100%  616     0.6KB/s   00:00
[amarin@crrp4440.cri.hp.com] / >

8. Add client’s public key to your master server $HOME/.ssh/authorized_keys file and set access permissions to 600 (ssh will ignore /.ssh/authorized_keys unless it is readable only by the user account login):

[amarin@crrp4440.cri.hp.com] / > ssh delta
Password:
Last successful login:       Wed Apr 30 16:45:50 MDT 2008 crrp4440.cri.hp.com
Last authentication failure: Wed Apr 30 16:30:34 MDT 2008 crrp4440.cri.hp.com
Last login: Wed Apr 30 16:33:40 2008 from crrp4440.cri.hp.com
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993  The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2006 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
 
Confidential computer software. Valid license from HP required for
possession, use or copying.  Consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
 
[amarin@delta] / > cd .ssh
[amarin@delta] / > cat crrp4440_dsa_pub >> authorized_keys
[amarin@delta] / > chmod 600 authorized_keys
[amarin@delta] / > exit
logout
Connection to delta closed.
[amarin@crrp4440.cri.hp.com] / >

9. You should now be able to ssh from Client server (crrp4440) to your Master server without a password:

[amarin@crrp4440.cri.hp.com] / > ssh delta
Last successful login:       Wed Apr 30 16:47:49 MDT 2008 crrp4440.cri.hp.com
Last authentication failure: Wed Apr 30 16:30:34 MDT 2008 crrp4440.cri.hp.com
Last login: Wed Apr 30 16:47:49 2008 from crrp4440.cri.hp.com
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993  The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2006 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
 
Confidential computer software. Valid license from HP required for
possession, use or copying.  Consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
 
[amarin@delta] / > exit
logout
Connection to delta closed.
[amarin@crrp4440.cri.hp.com] / >

10. A final review of the permission of the $HOME/.ssh directory on both servers to ensure no security holes.

[amarin@crrp4440.cri.hp.com] / > ls -ld $HOME $HOME/.ssh
drwxr-xr-x   3 amarin     users         8192 Apr 30 11:39 /home/amarin
drwx------   2 amarin     users         8192 Apr 30 11:53 /home/amarin/.ssh
 
[amarin@crrp4440.cri.hp.com] / > find $HOME/.ssh -type d -exec ll {} \;
total 80
-rw-------   1 amarin     users          668 Apr 30 11:52 id_dsa
-rw-r--r--   1 amarin     users          616 Apr 30 11:52 id_dsa.pub
-rw-------   1 amarin     users         1675 Apr 30 11:53 id_rsa
-rw-r--r--   1 amarin     users          408 Apr 30 11:53 id_rsa.pub
-rw-r--r--   1 amarin     users          884 Apr 30 11:39 known_hosts
 
[amarin@delta] / > ls -ld $HOME $HOME/.ssh
drwxr-xr-x   3 amarin     users         8192 Apr 30 17:19 /home/amarin
drwx------   2 amarin     users           96 Apr 30 16:48 /home/amarin/.ssh
 
[amarin@delta] / > find $HOME/.ssh -type d -exec ll {} \;
total 48
-rw-------   1 amarin     sys            616 Apr 30 16:48 authorized_keys
-rw-r--r--   1 amarin     sys            616 Apr 30 16:45 crrp4440_dsa_pub
-rw-r--r--   1 amarin     sys            884 Apr 30 16:34 known_hosts

Reference

page 31, HP-UX Secure Shell Authentication Methods

This page was last modified on 26 August 2008, at 21:50. This page has been accessed 9,422 times.