SSH and passwordless access

SSH is a wonderful program. It allows for secure, encrypted communication between two machines, something that is absolutely necessary when communicating over the internet.

There are two packages that are required, the first is the client, which is required in order to initiate a connection to a remote machine, the second is the server, which is required in order to accept and start an incoming connection from a remote machine. These can be installed via the below commands.

sudo apt-get update
sudo apt-get install openssh-client openssh-server

If you want to make any changes to SSH, you can do so by editing its configuration file. As usual, ensure you backup the file before you make any changes so you can recover if need be.

cp -v /etc/ssh/ssh_config{,.orig}
vi /etc/ssh/ssh_config

Its service is controlled via traditional init/upstart options. Systemd uses systemctl to control its services, which I’ll detail in a later post.

service ssh start|stop|restart|status
-or-
/etc/init.d/ssh start|stop|restart|status

Finally on to actually using the SSH program. We can start a “plain” SSH connection over all its defaults (ports, etc.) by issuing:

ssh user@remotehost

Some useful switches are:

-l user        replace user with your username
-p port        replace port with the port you setup in sshd_config
-C             enables compression
-c blowfish    enables blowfish as the cipher spec
-X             enables X11 forwarding
-v             enable verbosity
-vv            enable more verbosity
-vvv           enable the max level of verbosity (helpful for troubleshooting)

Now that that’s done, lets start the fun stuff: setting up passwordless SSH access, because entering a password each and every time you want to connect is a pain. Plus, using strong keys is actually much more secure than using a password that you have to remember and can probably be brute-forced.

First things first, you’ll need to generate some keys, a public one, which goes on the remote computer, and a private one, which stays on your computer. You do this by issuing the following command for an rsa key

ssh-keygen -t rsa

This puts your public key and private key at the following locations respectively

~/.ssh/id_rsa
~/.ssh/id_rsa.pub

Next, you add your rsa to the identity file

ssh-add ~/.ssh/id_rsa

Then you copy the public version of your key to the remote host

ssh-copy-id -i ~/.ssh/id_rsa.pub user@remotehost

And you are finished! You can now access the remote machine and use your rsa keys to authenticate yourself simply by typing:

ssh user@remotehost

 

TROUBLESHOOTING

As a common troubleshooting step, note that the permission on the directories and files is very important. If you change them, SSH will refuse to connect because it will see the system(s) as insecure.

Your home .ssh directory needs 700 permissions:

chmod 700 ~/.ssh

Your home .ssh/authorized_keys directory needs 600 permissions:

chmod 600 ~/.ssh/authorized_keys

Your public key needs 644 permissions:

chmod 644 ~/.ssh/id_rsa.pub

Your private key needs 600 permissions:

chmod 600 ~/.ssh/id_rsa

Your home folder ~, cannot be writable by anyone but you

chmod g-w,o-w ~

If it still is not working and you have verified the permissions of the files and folders, the next step is to enable verbose logging and check your log files. You do this by editing the config file (remember to back it up first!)

vi /etc/ssh/sshd_config

And changing the line:

LogLevel INFO

to

LogLevel VERBOSE

Save and exit (ZZ in vi), restart the ssh server

sudo service ssh restart

Try your connection to the remote host with the verbosity switches

ssh -vvv user@remotehost

And then view the log file to see what is happening

cat /var/log/auth.log | tail -30
Tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

Protected by WP Anti Spam