Translate

Sunday, April 8, 2018

Enable passwordless access to a machine

DEBRH or ... Don't Expect Big Revelations Here :)
Just a quick note that maybe can be useful to somebody.

Here the scenario.
We have two Linux machines in the network. A user from the machine A (call it Auser) need to  access some data on the machine B, under a specific user (call it Buser).
So, we can simply use ssh for that.

We log in to the A machine as Auser, then we ssh to the other machine :

ssh Buser@Bmachine

That is great, but what about if we want to have a script to do that ?
Same procedure, however there is a problem.
The ssh connection asks for a password !

No problems if is a user that log in. The user can see the password request and answer it.
But a script ... no.

Here a easy way to do that.

Scenario


  • A machine : 192.168.0.10
  • B machine : 192.168.0.20
  • Users :
    • Auser on A machine
    • Buser on B machine
  • script needs to connect from Auser to Buser

Requirements

  • who perform this task has the passwords for both Auser and Buser
  • both machines have installed ssh and utilities

Settings


A machine setting

This is the machine that wants to connect with the B machine, i.e. it is the machine were the connect requests starts.
Login in it as Auser with a terminal and verify to have the directory .ssh present.

ls ~/.ssh

If it exists, we can use the keys already there (see the Important block below !), otherwise we need to create a new key using ssh-keygen utility (for example ssh-keygen -t rsa).
A key in the .ssh directory exists in two files. One is the "public" key, the other is the "private" key.
Typical name for a key is for example : rsa.
So in the .ssh we could have two files :
  • rsa
  • rsa.pub
where rsa is the "private" key and rsa.pub is the "public" key.

Now, we need to add the public key of Auser in a specific file on the Buser.

IMPORTANT !! Remember !

The key used must be generated WITHOUT SETTING A PASSWORD !
If the key is generated adding a password, then that password will be asked anyway when log in !
The goal here is to allow a machine to log in to another machine without the need to ask a password !
If, like me, already the default key (id_rsa) exists, and has a password set, just create another key (name it for example id_rsa1) without setting the password, then follow the procedure below.
Then when to connect, tells ssh to use the correct key, for example : 
ssh -i ~/.ssh/id_rsa1 Buser@192.168.0.20

B machine setting


So, we can simply ssh from the A machine to the B machine :

ssh Buser@192.168.0.20

Of course a password will be asked at this stage.
Once connected verify to have the .ssh directory for the Buser :

ls ~/.ssh

If there is NOT that directory, create one : mkdir .ssh

We can log off from the Buser.

At this point we need to copy the Auser public key into the file ~/.ssh/authorized_keys on the Buser.

We can use scp or much easier way, like : 

cat ~/.ssh/id_rsa.pub | ssh Buser@192.168.0.20 'cat >> .ssh/authorized_keys'

Note that we use the >> redirection command here because is possible the authorized_keys file already exists and we don't want to destroy what already there.
If the file doesn't exists it is created anyway.
Of course the Buser password will be asked.

Better to adjust also the authorized_keys permissions :

ssh Buser@192.168.0.20 "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

Again, the Buser password will be asked.

Done


If everything was done correctly from now on, every time Auser will ssh to Buser, it will be connected without asking for the password.


No comments:

Post a Comment