Login without password

Pre-flight checks

Unix Client and Server

Check if the keys have been created already.

The following commands must be executed on both the local and the remote system. For the remote system please use the credentials (username and password) you want to use for password-less sign-on.

cd $HOME
mkdir -p .ssh
ls -l .ssh 
# check if id_dsa* and id_rsa exist. If yes, skip the next steps 
ssh-keygen -t dsa -f .ssh/authorized_keys -N "" 
ssh-keygen -t rsa -f .ssh/authorized_keys -N "" 
# if you enter a passphrase, please write it down somewhere

In some Linux versions - obviously those running SELinux - you may see an error message like:

$ ssh-keygen -t dsa -f .ssh/authorized_keys -N ""
Generating public/private dsa key pair.
open .ssh/authorized_keys failed: Permission denied.
Saving the key failed: .ssh/authorized_keys.

 

Then you have to enter the following command:

chcon -R -t ssh_home_t ~/.ssh

Windows Client

Other than in Unix, on WIndows platforms there is no pre-installed SSH client. For a list a free solutions see here; the most popular seems to PuTTY. Commercial alternatives like Bitvise Tunnelier are also around. My examples are based upon PuTTY.

Unix Server

Normally SSH servers are pre-installed on all Unix-like servers. The installation of a SSH server is not in the scope of this document.

You have to make sure that the server is running and that port 22 is open to all prospective clients.

Windows Server

Other than in Unix-based operating systems, Windows has no preinstalled SSH server. We have tested FreeSSH without much success, so we went for Bitvise WinSSHD (free for non-commercial use); my example is based upon this software. The installation of a SSH server is not in the scope of this document.

You have to make sure that the server is running and that port 22 is open to all prospective clients.

Copy public key

Unix Client → Unix Server

On the local system, copy the public key to the remote system you want to login at without password.

"ssh-copy-id" may not be installed on your client (like MacOS/X). You should search the internet for your OS. Here are just two examples:

  • CentOS / Redhat: yum install openssh-clients
  • MacOS/X: see here

Once ssh-copy-id is available, enter the following command: 

ssh-copy-id <user>@<remote_system>

On some servers it is required to correct the access rights of the the public key file:

ssh <user>@<remote_system>
# next commands on the server
chmod 600 .ssh/authorized_keys
exit

 

Example:

ssh-copy-id root@myserver.com

Unix Client → Windows Server

ssh -i ~/.ssh/authorized_keys <user>@<remote_system>

Example:

ssh -i .ssh/authorized_keys administrator@www.gutzmann.se

Windows Client → Unix Server

This is a bit complicated.

In a first step you have to create the public/private key file. Using PuTTY, you have to download PuTTYgen from the PuTTY Download Page. Store it to the directory where PuTTY is located and run it.

  • In the lower right corner set the number of bits to 2048.
  • Dont't fill in the passphrase as there are some reports about cross-platform problems.
  • Press "Generate". You have to move the mouse pointer over the empty space until the progress bar is complete.
  • Copy the public key displayed in the resulting window.
  • Paste it into an editor (like Notepad) and save it. It doesn't matter where you save it; out of habit I have a .ssh directory in my Windows home directory, and I saved the public key there as "putty.pub".
  • You should not use "Save public key" as the format will not be accepted by Unix hosts.
  • Back to PuTTYgen, press "Save private key". Again the location and the file name don't really matter; I have chosen "putty.ppk" in my .ssh directory. This file should not be readable by others!
  • Copy the public key to the Unix server and append it to ".ssh/authorized_keys" (alternatively you can edit ".ssh/authorized_keys" directly and paste the key there).
  • Check the file protection of ".ssh/authorized_keys"; it should by "600" - if not set the protection with "chmod 600 ~/.ssh/authorized_keys".
With "plink.exe", you can include the key in the command line after the "-i" option, for example:

 

plink -i %HOMEPATH%\.ssh\putty.ppk -ssh root@my.server.com
For PuTTY you have to do some extra steps:
  • Run PuTTY. This will open the configuration editor.
  • In the "Category" tree to the left click on "Session".
  • Enter the host name or the IP adress and the port in the main window pane.
  • Choose the connection type "SSH".
  • In the category tree, expand "Connection" and click on "Data".
  • Fill in the auto-login user name (for example "root").
  • In the category tree, expand "SSH".
  • Click on "Auth".
  • In the main window pane, click on "Browse" and locate the private key (in my cSE, it's "putty.ppk").
  • In the category tree, click on "Session" again.
  • In the "Saved Sessions" field in the main window pane, give the session any name, for example "root@my.server.com".
  • Click "Save".
  • Click "Open" to see if it works.
If you want to run PuTTY again to access the serve,
  • Run PuTTY. This will open the configuration editor.
  • In the "Saved Sessions" list double-click the session you created above, for example "root@my.server.com".

Pretty complicated, isn't it? That's why Unix admins don't like Windows.

Windows Client → Windows Server

t.b.s.

Login to remote server

Unix

You can use ssh, scp, and sftp now without the need to supply the password; this holds also true when the password is changed on the remote system, for example:

ssh user@remote_system
scp /tmp/x.dat user@remote_system:/tmp
sftp user@remote_system

Windows

See section "Windows Client → Unix Server" above.

 


SSH Tunneling Examples

This is not an in-depth explanation on SSH tunelling - just a few solutions I needed for myself.

Tunneling RDP from Mac/OS-X to Windows

For security reasons, I wanted to tunnel my RDP connection from my Mac client to a Windows server.

Prerequisites 

There are some steps to perform in advance:

  • Install a SSH server for Windows, for example Bitvise WinSSHD.
  • Install a RDP application on your Mac. As RDP client, I'm using the excellent CoRD application.
  • Set up SSH to login without a password, as described above.
  • Make sure that this works, for example by entering "ssh Administrator@my.server.com" in a Terminal window.

Manual Approach

From the terminal window, enter the following command (replacing "my.server.com" with your server name.

ssh -f -L3389:127.0.0.1:3389 administrator@my.server.com

Leave the terminal window open.

Launch the RDP application and connect to "127.0.0.0"instead of "my.server.com".

After finishing the RDP session, type "exit" in the terminal window to close the tunnel.

Finder-clickable App

As a first step, save and locate the RDP session to 127.0.0.0.

In a second step, create a shell script where the two actions are combined, for example:

#! /bin/bash
ssh -f -L3389:127.0.0.1:3389 administrator@my.server.com sleep 10
open ~/Documents/RDC\ Connections/Tunnel.rdp &

Here is a short explanation of what's happening here:

  • Line 1 tells the system which Shell to use.
  • The command in line 2 is similar to the used in the manual approach, except for "sleep 10". This gives the Finder and the RDP client time to launch and open.
  • Line 3 asks the Finder to open your RDP app using the session information saved above.

Save the file as something like "RDP-tunnel.sh". Run the following commands to correct the execution rights and test the script:

chmod a+x RDP-Tunnel.sh
./RDP-tunnel.sh 

It this works, create the clickable application by entering

mkdir -p RDP-tunnel.app/MacOS
mv RDP-tunnel.sh RDP-tunnel.app/MacOS/RDP-tunnel

Test by double-clicking the application in the finder. Then you can move the application wherever you wish.

Double-Tunneling Terminal Access MacOS/X → Windows  → Linux

Due to firewall rules some of our Linux servers are not reachable directly from my Mac client, but I can ssh to a Windows machine which in turn can ssh to the servers.

Using the setup described above I can gain access to the root shell of the Linux machines by entering 

ssh administrator@my.windows.com "plink -i .ssh/putty.ppk -ssh root@my.linux.com"

The terminal emulation is not perfect, but for occasional maintenance activities it's easier than RDP'ing to the Windows server and then using PuTTY from there.

It's useful to create an alias - for bash in $HOME/.profile, for tcsh in $HOME/.cshrc: 

alias web-prod3='ssh administrator@my.windows.com "plink -i .ssh/putty.ppk -ssh root@my.linux.com"'
  • No labels