Having a set of public/private key pairs that allow you to log in to a remote Linux system without a password or run commands over SSH can be handy, but the setup is a bit complicated. Here are methods and scripts to help you.

It’s not hard to set up an account on Linux that allows you to log in or run commands remotely without a password, but you need to master some tedious details to make it work. In this article, we’ll go through the process and then present a script that can help with the trivial details.

Once set up, secret-free access is especially useful if you want to run SSH commands in a script, especially if you want to configure commands that run automatically.

Note that you don’t need to use the same user account on both systems. In fact, you can use the public key for multiple accounts on your system or for different accounts on multiple systems.

Set the parameters as follows.

On what system?

First, you need to start with the system that is issuing the command. That’s the system you use to create SSH keys. You also need to be able to access and run these commands on accounts on remote systems.

For character clarity, we call the first system in the scene “boss” because it will issue commands to run on another system.

Therefore, the command prompt is as follows:

boss$
Copy the code

If you have not already set up a public/private key pair for your account on the boss system, create one using the commands shown below. Note that you can choose between various encryption algorithms. (Generally RSA or DSA is used.) Note that to access the system without entering a password, you need to enter no password at the two prompts in the dialog below.

If you already have a public/private key pair associated with this account, skip this step.

boss$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/myself/.ssh/id_rsa):
Enter passphrase (empty forNo passphrase): <== Press Enter to Enter the same passphrase again: <== Press Enter to save Your identification has been savedin /home/myself/.ssh/id_rsa.
Your public key has been saved in /home/myself/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1zz6pZcMjA1av8iyojqo6NVYgTl1+cc+N43kIwGKOUI myself@boss
The key's randomart image is: +---[RSA 3072]----+ | . .. | | E+ .. . | | .+ .o + o | | .. +.. .o* . | | ... So+*B o | | + ... ==B . | | . o . .... ++. | |o o . . o.. o+ | |=.. o.. . o o. | +----[SHA256]-----+Copy the code

The command shown above creates the public and private keys. The public key is used for encryption and the private key for decryption. Therefore, the relationship between these keys is critical, and private keys should never be shared. Instead, it should be saved in the.ssh folder of the boss system.

Note that at creation time, your public and private keys will be stored in the.ssh folder.

The next step is to copy the public key to the system you want secret-free access from the boss system. You can use the SCP command to do this, but you still need to enter the password. In this case, the system is called “Target.”

boss$ scp .ssh/id_rsa.pub myacct@target:/home/myaccount
myacct@target's password:
Copy the code

You need to install the public key on the target system (the system that will run the command). If you don’t have a.ssh directory (for example, you’ve never used SSH on that system), running a command like this will set up a directory for you:

target$ ssh localhost date
target$ ls -la .ssh
total 12
drwx------ 2 myacct myacct 4096 Jan 19 11:48 .
drwxr-xr-x 6 myacct myacct 4096 Jan 19 11:49 ..
-rw-r--r-- 1 myacct myacct  222 Jan 19 11:48 known_hosts
Copy the code

Still on the target system, you need to add the public key transferred from the “boss” system to the.ssh/authorized_keys file. If the file already exists, use the following command to add it to the end of the file; If the file does not exist, it is created and the key is added.

target$ cat id_rsa.pub >> .ssh/authorized_keys
Copy the code

Next, you need to make sure that your authorized_keys file has permissions of 600. If not, run the chmod 600. SSH /authorized_keys command.

target$ ls -l authorized_keys
-rw------- 1 myself myself 569 Jan 19 12:10 authorized_keys
Copy the code

Also check that the permissions on the.ssh directory on the target system are set to 700. If necessary, run the chmod 700. SSH command to change the permission.

target$ ls -ld .ssh
drwx------ 2 myacct myacct 4096 Jan 14 15:54 .ssh
Copy the code

At this point, you should be able to run commands remotely from the boss system to the target system without secret. This should work unless the target user account on the target system has the same old public key as the user and host you are trying to connect to. If so, you should delete the earlier (and conflicting) entries.

Using a script

Some tasks can be made easier by using scripts. However, one annoying problem you encounter in the example script below is that you have to enter the target user’s password multiple times before you can configure secret free access. One option is to split the script into two parts — commands that need to run on the boss system and commands that need to run on the Target system.

Here’s the one-step version of the script:

#! /bin/bash
# NOTE: This script requires that you have the password for the remote acct
# in order to set up password-free access using your public key

LOC=`hostname`  # the local system from which you want to run commands from
                # wo a password

# get target system and account
echo -n "target system> "
read REM
echo -n "target user> "
read user

# create a key pair if no public key exists
if[!-f ~/.ssh/id_rsa.pub ]; then
  ssh-keygen -t rsa
fi

# ensure a .ssh directory exists in the remote account
echo checking for .ssh directory on remote system
ssh $user@$REM "if [ ! -d /home/$user/.ssh ]; then mkdir /home/$user/.ssh; fi"

# share the public key (using local hostname)
echo copying the public key
scp ~/.ssh/id_rsa.pub $user@$REM:/home/$user/$user-$LOC.pub

# put the public key into the proper location
echo adding key to authorized_keys
ssh $user@$REM "cat /home/$user/$user-$LOC.pub >> /home/$user/.ssh/authorized_ke
ys"

# set permissions on authorized_keys and .ssh (might be OK already)
echo setting permissions
ssh $user@$REM "chmod 600 ~/.ssh/authorized_keys"
ssh $user@$REM "chmod 700 ~/.ssh"

# try it out -- should NOT ask for a password
echo testing -- if no password is requested, you are all set
ssh $user@$REM /bin/hostname
Copy the code

The script is configured to tell you what it is doing every time you have to enter a password. The interaction looks like this:

$ ./rem_login_setup
target system> fruitfly
target user> lola
checking for .ssh directory on remote system
lola@fruitfly's password:
copying the public key
lola@fruitfly'S password: id_rsa.pub 100% 567 219.1KB/s 00:00 Adding key to authorized_keys lola@fruitfly's password:
setting permissions
lola@fruitfly's password:
testing -- if no password is requested, you are all set
fruitfly
Copy the code

After the above scenario, you can log into Lola’s account like this:

$ ssh lola@fruitfly
[lola@fruitfly ~]$
Copy the code

Once set up, you can log in from the boss system to the target system and run arbitrary SSH commands without entering a password. Just because your account is operating in this security-free way doesn’t mean it’s not secure. However, depending on the nature of the Target system, protecting your password on the Boss system may become more important.


Via: www.networkworld.com/article/351…

Author: Sandra Henry-Stocker (lujun9972

This article is originally compiled by LCTT and released in Linux China