Password Less SSH setup

Password less SSH Setup for End User

Purpose

This document describes password less SSH setup for a given user ID [for individual user ID] for following scenarios:

Workstation to UNIX

UNIX to UNIX

CAUTION: Please do NOT use this procedure for generic account like “oracle”,”infa”, etc. as following this step may overwrite existing SSH setup.

Pre-requisite:

For Workstation to UNIX password less SSH setup, download full PuTTY.zip, or PuTTY.exe and pscp.exe along with following files:

Make sure that the folder where you copy these files are in the environment variable “PATH”.

Key Generation

  1. Start puttygen.exe [PuTTY Key Generator]

  2. Change right bottom text box (“Number of bits in a generated key:”) from 1024 to 2048.

  3. Click on the “Generate” button and rollover mouse randomly in the box – this will generate the random key.

  1. Enter meaningful value in “Key Comment” field.

  2. Select the content in the box with title “Public key for pasting into Open SSH authorized_keys file:”. Right click in the box with highlighted text , copy the content and paste it to new document and save it as “authorized_keys.txt” [Path doesn’t matter as long as you can get to this file later on, here we will store in “<PuTTYPath>\Config\authorized_keys.txt”]

  3. Enter passphrase => anything that you can remember – can be sentence, slogan you like it. [You need this to remember as long as you use this key and need to enter every time restart or log off/login or reload the PuTTY agent]

    For example: “I love The God!”

This setup works without passphrase too, but is very unsecure as if someone gets hold of your private key, they can logon as “you”.

  1. Re-enter same key-passphrase

  2. Click on the “Save private key” button. Select appropriate directory and enter file name along with extension “.ppk” => Here I entered “dpatel_rsa_2048_20130611.ppk” and click “Save” button.

  3. Click on “Save public Key” button. Select same directory where private key has been stored. For consistency purpose save public key as same name with extension as “.pub” => here I entered “dpatel_rsa_2048_20130611.pub” and click “Save” button.

  4. Close “PuTTY Key Generator” window.

Load Keys

  1. Start “Pageant.exe” file. Unlike other applications, this application does NOT open any GUI. It sits in the system tray.

  2. Right click on this icon and click on “Add Key”. Select the private key we have stored in “Key Generation Step#8.

  3. This will ask for the passphrase that we entered in Step#6. Enter passphrase in this box and click “OK” button.

  4. If there are any typos “Enter passphrase” will pop-up again. Upon successful passphrase this window will disappear.
  5. This step is optional. To validate key is loaded, double click on the “Pageant.exe” icon in the system tray. It will open window similar to one shown below and displays all loaded keys.

  6. This key needs to be loaded every time, workstation is rebooted or “Pageant.exe” restarted. To automate this you can add following batch file in the “Windows Startup” or execute batch file manually. This will require entering passphrase.

SSH Login without further setup

This is as usual, as this setup is not yet known by authenticating server. We will demonstrate this using pscp.exe [PuTTY Secure Copy] utility.

  1. Open command window. scp

  2. Upon entering correct password file is being copied.

SSH Setup on Unix/Linux server(s)

Setup described in this section needs to be repeated on each Linux/Unix server where password less SSH [from Workstation] setup is required.

SSH setup on first UNIX server

  1. Open SSH session to the Unix host [here wdhoel05]

  2. Validate “.ssh” directory is present in the user’s home directory.

  3. If exists “.ssh” directory then rename it for safety.
    1. mkdir –p ~/.ssh
    2. chmod 700 ~/.ssh
  4. Generate SSH keys for UNIX. This key will be without any passphrase so that we can utilize it in the shell scripting without any user interventions. Enter following command an accept all default values. [Hit enter on each prompt]
    1. ssh-keygen –b 2048

  1. Validate files generated.

  1. Let’s validate the SSH setup on this server for password less login.
    1. cat ~/authorized_keys.txt > ~/.ssh/authorized_keys

  2. Create new session for wdhoel05

  3. Execute following command:
    1. cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

  1. Once password less SSH is validated, use following script to generate a master shell script that can be utilized on all subsequent UNIX servers to establish password less SSH “UNIX to UNIX” as well as “Workstation to UNIX”.
    1. Copy following content [Between two yellow highlighted lines] to the script “genMasterKeys.sh”
    2. For easiness, I have copied script genMasterKeys.sh
      to /tmp/genMasterKeys.sh on wdhoel05 – so you can simply copy to your home directory
      1. cp –p /tmp/genMasterKeys.sh ~/
    3. Change permission for this file as “700”

wdhoel05:dpatel(/home/dpatel)> cat genMasterKeys.sh

#!/bin/ksh
# Dharmesh Patel
# Date : 02/11/2013
# This script reads current SSH keys and authorized key on first server to generate master shell script
# This master script can be executed on all subsequent UNIX servers to establish password less connectivity.
export SCRIPT_NAME=`id -un`_ssh_master.sh
export ID_RSA=`cat ~/.ssh/id_rsa`
export ID_RSA_PUB=`cat ~/.ssh/id_rsa.pub`
export WORKSTATION_RSA_PUB=`cat ~/authorized_keys.txt`

(
cat << EOF_SCRIPT
#!/bin/ksh

# File name: ${SCRIPT_NAME}
# Author : Dharmesh Patel
# Date : `date ‘+%m/%d/%Y’`
#
# Note : This script has been generated using the script – genMasterKeys.sh
# If you encounter any issues with this script, please contact Dharmesh Patel
# Description: Update authorized keys on this host with the master id_rsa.pub
#
#

function bkp_if_no_bkp_exist {
export ORG_FILE=\$1
export BKP_EXIST=0
for f in \`find -name “\${ORG_FILE}.bkp.*”\`
do
diff \${ORG_FILE} \${f} 1>/dev/null 2>/dev/null
if [ \$? -eq 0 ]; then
BKP_EXIST=1
break;
fi
done
if [ \${BKP_EXIST} -eq 0 ]; then
mv \${ORG_FILE} \${ORG_FILE}.bkp.\$\$
fi
}

echo “\`uname -n\`: Updating ssh key configuration on \`date +%Y%m%d_%H%M%S\`” | tee -a updt_auth_keys.log

if [ “e”\${HOME} = “e” ]; then
export HOME=/home/dpatel
fi

if [ ! -s \${HOME}/.ssh ]; then
mkdir -p \${HOME}/.ssh/
fi

cd \${HOME}/.ssh

if [ -f id_rsa ]; then
echo “Backup existing id_rsa file to id_rsa.bkp.\$\$” | tee -a updt_auth_keys.log
bkp_if_no_bkp_exist id_rsa
fi

if [ -f id_rsa.pub ]; then
echo “Backup existing id_rsa.pub file to id_rsa.pub.bkp.\$\$” | tee -a updt_auth_keys.log
bkp_if_no_bkp_exist id_rsa.pub
fi

if [ -f authorized_keys ]; then
echo “Backup existing authorized_keys file to authorized_keys.\$\$” | tee -a updt_auth_keys.log
bkp_if_no_bkp_exist authorized_keys
fi

(
cat << EOF
${ID_RSA}
EOF
) > id_rsa

(
cat << EOFP
${ID_RSA_PUB}
EOFP
) > id_rsa.pub

(
cat << EOFA
${WORKSTATION_RSA_PUB}
${ID_RSA_PUB}
EOFA
) >>authorized_keys

chmod 700 \${HOME}/.ssh
chmod 600 id_rsa
chmod 644 id_rsa.pub
chmod 644 authorized_keys

EOF_SCRIPT
) > ${SCRIPT_NAME}

chmod 700 ${SCRIPT_NAME}

echo “Script: ${SCRIPT_NAME} is ready for use.”

wdhoel05:dpatel(/home/dpatel)> chmod 700 genMasterKeys.sh

  1. Execute this script [genMasterKeys.sh] on wdhole05, this will generate a script named: <LoginID>_ssh_master.sh

  2. Now we are ready to perform similar setup on all other UNIX servers.

SSH setup on subsequent servers

  1. Copy script file generated in 10th step of previous section to the desired UNIX server(s).

  2. Logon to the destination server here – wdhoel06 – and execute script “dpatel_ssh_master.sh”

  3. If any existing files are there they will be backed up.

  4. Now, let’s validate connectivity from workstation to wdhoel06

  5. Now let’s test connectivity between two UNIX servers
    1. Wdhoel05 to wdhoel06

  1. Wdhoel06 to wdhoel05

  1. Steps 1 through 5 needs to be repeated on all subsequent UNIX servers.

Loading private key on Workstation

Daily/Restart

As described earlier in this document private key needs to be loaded using Pageant.exe utility to use password less connectivity from Workstation. Copy following commands in the batch file and use batch file at startup and/or invoke manually. Please update highlighted text appropriate to your local workstation setup in the following script:

REM Author: Dharmesh Patel

REM Date: 18-December-2012

@echo Loading pAgeant.exe – private keys for Dharmesh Patel . . .

start “ C:\AAA\PuTTY\PAGEANT.EXE” “C:\AAA\PuTTY\Config\dpatel_rsa_2048_20130611.ppk

pause

@echo “Loading one of the session . . .”

cd /d “C:\AAA\PuTTY

REM Following commented line shows how to load preset session, if any.

REM start PUTTY.EXE -load “oem1” -ssh -P 22 wdhoel05 -l dpatel

start PUTTY.EXE -ssh -P 22 wdhoel05 -l dpatel

pause

Advertisements