Secure SHell (SSH) as the name indicates is a secure form of connecting to a remote machine. It is secure because all data transfer via SSH happens in encrypted form. SSH comes with a collection of tools. For instance, you have -
- scp - which is used to copy files between remote machines securely.
- sftp - Which is secure FTP , file transfer.
- And of course SSH's more common duty being to let users login securely to a remote machine.
SSH comes in two versions. ie SSH 1 and SSH 2. The more recent SSH 2 is provided by a package called OpenSSH. I am going to use SSH 2 here. So make sure you have OpenSSH package installed on your machine.
SSH makes use of public and private keys to verify who you are. And the keys are generated using either RSA or DSA algorithms. Of course , you can also ssh to a remote machine without going through the trouble of creating public and private keys, but it will be less secure.
Figure: Asks for password when ssh(ing) without public and private keys.Creation of SSH public and private key
To create an SSH key, you make use of the ssh-keygen program as follows:
$ ssh-keygen -t rsa -b 1024
Now it will ask a few details and finally ask to enter a secret pass phrase. After you have entered the pass phrase, it will generate two keys. A public key by name 'id_rsa.pub' and a private key by name 'id_rsa'. And these keys will be stored in a hidden directory called .ssh in your home folder.
Figure: Creating the public private key pair.Next you have to copy the just created public portion of your key to the remote machine. Let us assume that your local machine is local_mc and the remote machine to which you want to SSH to is remote_mc . You can use scp to copy the key to the remote machine as follows:
$ scp ~/.ssh/id_rsa.pub remote_mc:.ssh/authorized_keys
Above, I have copied the id_rsa.pub key to the .ssh folder of the remote machine and named it authorized_keys. Now remote_mc is ready to accept your ssh connection.
Note: Usually you are not the administrator of the remote machine. In which case, you have to email your public key to the administrator of remote_mc. And he will first check if the key is valid by entering the command :
# ssh-keygen -l -f the_key_you_send.pub
And once he is satisfied, he will include the key into the .ssh directory of the user's account on remote_mc.Now when you want to login to remote_mc via ssh, it will ask you for the pass phrase.
Note: This is significant because you are transmitting your encrypted pass phrase and NOT the password across the network. And the finger print you generated on local_mc is tied not only to the user account on your local machine but also to the machine itself.
Note: This is significant because you are transmitting your encrypted pass phrase and NOT the password across the network. And the finger print you generated on local_mc is tied not only to the user account on your local machine but also to the machine itself.
Figure: Asks for the pass phrase instead of password.Which means, you can log in to the remote_mc only from the local_mc using that public key and not from any other machine on the network.
Password-less logins using SSH
All this is fine; But what happens when you have to ssh to the remote_mc frequently. It becomes tedious and error prone to type the pass phrase each and every time. There is a way for you to circumvent this issue.
You can use a tool called ssh-agent. So when you try to ssh to remote_mc from the local_mc, the ssh agent will verify that this key does come from you. It is ssh agent's responsibility to handle the key. So now you need only give the pass phrase the first time you log on to the remote_mc . And the next time you log in, the ssh agent verifies your identity and you are automatically logged on to the remote_mc.
These are the steps required for password less logins.- Start ssh-agent in the command line.
$ exec ssh-agent /bin/bash
$_ - Add your identity to the ssh-agent using the ssh-add tool.
$ ssh-add ~/.ssh/id_rsa
When you enter the above command, it will ask for your pass phrase which you have to provide. From here on,the ssh-agent will verify your identity and you can ssh to the remote machine without entering the pass phrase.
Figure: Using ssh-add to add your identity to the ssh agent.
$ ssh -l skinner remote_mc
From now on you don't have to use the password or pass phrase to ssh to the remote_mc machine.
Also Read:My previous post on Secure SHell.
No comments:
Post a Comment