Home > Network > Using SSH and SCP without entering password

Using SSH and SCP without entering password

Print Friendly, PDF & Email

When administrating a lot of Unix servers, there are some situation when you need to run a script from one server to another without entering a password. For example, let’s say that you need to take a cold backup of a Oracle database, but before starting it, you need to stop the application running on another server. In your Oracle backup script, you could “ssh” to application server and run a script that would stop the application before starting the backup.  But to do that with a script, you need a way to log on the application server without having to enter a password.

In this article, we will demonstrate how to configure SSH in such a way that it will allow you to log from one server to another, without having to enter a password.  Some environment are using the OpenSSH version on their Linux servers and the commercial Tectia SSH on the AIX servers. OpenSSH and Tectia SSH don’t have the same keys format and depending on the version you are running,  making an automated connection between these two version can become tricky. In our examples, we will demonstrate the setup require, so that user “robert” is able to log from server1 to server2 without having to enter a password in a mixed environment of OpenSSH and Tectia SSH.

OpenSSH server configuration (/etc/ssh/sshd_config)

If you are using OpenSSH and you have secure your ssh environnent, chance are that you disable direct “root” access to your server with the line “PermitRootLogin no” in your ssh daemon configuration file. If you change that line with “PermitRootLogin without-password”, then direct login to “root” would still be refuse.  But, if you have configure your server to accept public key identification (PubkeyAuthentication yes) and that the proper setup is done, you should be able to log on the server with no password.  Below is the Openssh configuration file that I use for all the examples below.

Port                     22
Protocol                 2
SyslogFacility           AUTH
SyslogFacility           AUTHPRIV
LoginGraceTime           120
PermitRootLogin          without-password
PubkeyAuthentication    yes
HostbasedAuthentication  no
PasswordAuthentication  yes
RhostsRSAAuthentication  no
IgnoreRhosts             yes
StrictModes              yes
UsePrivilegeSeparation  yes
AllowTcpForwarding       no
X11Forwarding            yes
Subsystem sftp           /usr/libexec/openssh/sftp-server

The OpenSSH version used for all the examples below is ;

# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Tectia SSH server configuration (/etc/ssh2/ssh-server-config.xml)

The only action needed to permit public key authentication for users is to list ‘publickey’ as an allowed authentication method in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-publickey />
    ...
  </authentication>
</authentication-methods>

Other authentication methods can also be allowed. Place the least interactive method first.

For all the Tectia SSH examples below we used the following version ;

# sshg3 -V
sshg3.bin: SSH Tectia Client 6.1.3 on powerpc-ibm-aix5.1.0.0
Build: 59
Product: SSH Tectia Client

Automating SSH connection from OpenSSH to OpenSSH

openssh_2_openssh

This example demonstrate how to setup public key authentication so that user “robert” can log from server1 (OpenSSH) to server2 (OpenSSH), without having to enter a password.

1) Generate the private and public key for user “robert” on server1.

robert@server1:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/robert/.ssh/id_rsa):
Created directory '/home/robert/.ssh'.
Enter passphrase (empty for no passphrase): <CR>
Enter same passphrase again: <CR>
Your identification has been saved in /home/robert/.ssh/id_rsa.
Your public key has been saved in /home/robert/.ssh/id_rsa.pub.
The key fingerprint is:
6f:17:ac:ac:b6:9c:13:90:57:aa:ee:1c:b1:e0:93:e2
robert@server1

robert@server1:~$ cd .ssh
robert@server1:~/.ssh$ ls -l
total 3
-rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa
-rw-r--r-- 1 robert robert  404 Nov 22 08:19 id_rsa.pub
robert@server1:~/.ssh$

2) Copy the public key file to a more descriptive name.

robert@server1:~/.ssh$ cp id_rsa.pub server1_rsa.pub
robert@server1:~/.ssh$ ls -l
total 4
-rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa
-rw-r--r-- 1 robert robert  404 Nov 22 08:19 id_rsa.pub
-rw-r--r-- 1 robert robert  404 Nov 22 08:24 server1_rsa.pub
robert@server1:~/.ssh$

3) Create the .ssh directory on the remote server and copy the public key from server1 onto server2.

robert@server2:~$ pwd
/home/robert
robert@server2:~$ mkdir .ssh
robert@server2:~$ chmod 700 .ssh
robert@server2:~$ cd .ssh
robert@server2:~/.ssh$ scp robert@server1:/home/robert/.ssh/server1_rsa.pub .
The authenticity of host 'server1 (192.168.1.101)' can't be established.
RSA key fingerprint is b4:8d:56:71:c9:7e:97:ba:79:87:95:0d:8a:29:fc:9a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1,192.168.1.101' (RSA) to the list of known hosts.
robert@server1's password: *********
server1_rsa.pub                                    100%  404     0.4KB/s   00:00

4) Add “robert” public key from server1 to the authorized_keys file on server2

robert@server2:~/.ssh$ ls -l
total 2
-rw-r--r-- 1 robert robert 401 Nov 22 08:29 known_hosts
-rw-r--r-- 1 robert robert 404 Nov 22 08:31 server1_rsa.pub
robert@server2:~/.ssh$
robert@server2:~/.ssh$ cat server1_rsa.pub >> authorized_keys
robert@server2:~/.ssh$ chmod 644 authorized_keys

5) Test our automated ssh connection from server1 to server2

The first time you will need to accept connection. After that first connection, there will be no confirmation needed.

robert@server1:~/.ssh$ ssh server2
The authenticity of host 'server2 (192.168.1.133)' can't be established.
RSA key fingerprint is 28:cc:97:fb:ec:79:94:7f:bf:ef:82:bd:d2:c4:41:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,192.168.1.133' (RSA) to the list of known hosts.
robert@server2:~$

robert@server1:~/.ssh$ ssh server2
Last login: Sun Nov 22 08:36:41 2009 from server1.maison.ca
robert@server2:~$

Automating SSH connection from OpenSSH to Tectia SSH

openssh2ssh2

This example demonstrate how to setup public key authentication so that user “robert” can log from server1 (OpenSSH) to server2 (Tectia SSH), without having to enter a password.

1) Generate “robert” private and public keys on the local server (server1).

robert@server1:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/robert/.ssh/id_rsa):
Created directory '/home/robert/.ssh'.
Enter passphrase (empty for no passphrase): <CR>
Enter same passphrase again: <CR>
Your identification has been saved in /home/robert/.ssh/id_rsa.
Your public key has been saved in /home/robert/.ssh/id_rsa.pub.
The key fingerprint is:
6f:17:ac:ac:b6:9c:13:90:57:aa:ee:1c:b1:e0:93:e2
robert@server1:~$

robert@server1:~$ cd .ssh
robert@server1:~/.ssh$ ls -l
total 3
-rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa
-rw-r--r-- 1 robert robert  404 Nov 22 08:19 id_rsa.pub
robert@server1:~/.ssh$

2) Copy the public key to a more descriptive name and convert to Tectia SSH format

robert@server1:~/.ssh$ cp id_rsa.pub server1_rsa.pub
robert@server1:~/.ssh$ ssh-keygen -e -f server1_rsa.pub > server1_ssh2.pub
robert@server1:~/.ssh$ ls -l
total 6
-rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa
-rw-r--r-- 1 robert robert  404 Nov 22 08:19 id_rsa.pub
-rw-r--r-- 1 robert robert  401 Nov 22 08:36 known_hosts
-rw-r--r-- 1 robert robert  404 Nov 22 08:24 server1_rsa.pub
-rw-rw-r-- 1 robert robert  514 Nov 22 10:15 server1_ssh2.pub
robert@server1:~/.ssh$

3) From the remote server (server2) get “robert” Tectia SSH public key from server1.

robert@server2:~/$ ls -al
total 4
drwxr-xr-x   2 robert   staff           512 Nov 22 08:59 .
drwxr-xr-x   7 bin      bin             512 Nov 22 08:58 ..
-rwxr-----   1 robert   staff           254 Nov 22 08:58 .profile
-rw-------   1 robert   staff           110 Nov 22 10:08 .sh_history

robert@server2:~/$ mkdir .ssh2
robert@server2:~/$ chmod 700 .ssh2
robert@server2:~/$ cd .ssh2
robert@server2:~/$ scpg3 robert@server1:/home/robert/.ssh/server1_ssh2.pub . (replace scpg3 by scp if using V4)
robert@server1 password: ********
server1_rsa_ssh2.pub                        |   514B |   3.7kiB/s | TOC: 00:00:00 | 100%
robert@server2:~/$

4) Add “robert” public key on server1 to the authorization file on server2.

robert@server2:~/$ echo "Key server1_ssh2.pub" >> ~/.ssh2/authorization

5) Test our automated ssh connection from server1 to server2

robert@server1:~/.ssh$ ssh robert@server2
The authenticity of host 'server2 (192.168.1.130)' can't be established.
RSA key fingerprint is cb:98:02:be:4c:0d:80:8e:bc:20:cf:45:03:fc:70:54.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,192.168.1.130' (RSA) to the list of known hosts.
robert@server2:~/.ssh$ 

robert@server1:~/.ssh$ ssh robert@server2 date
Sun Nov 22 10:16:06 EST 2009
robert@server1:~/.ssh$

Automating SSH connection from Tectia SSH to OpenSSH

ssh2_2_openssh

This example demonstrate how to setup public key authentication so that user “robert” can log from server1 (Tectia SSH) to server2 (OpenSSH), without having to enter a password.

1) Generate  Tectia SSH private and public keys for user “robert” on server1.

robert@server1:~/$ ssh-keygen-g3 (use ssh-key if using V4)
Generating 2048-bit dsa key pair
153 oOOo.oOo.oOo
Key generated.
2048-bit dsa, robert@server1, Sun Nov 22 2009 19:21:21 -0500
Passphrase : <CR>
Again      : <CR>
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended. Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without the deciphering effort.
Private key saved to /home/robert/.ssh2/id_dsa_2048_a
Public key saved to /home/robert/.ssh2/id_dsa_2048_a.pub
robert@server1:~/$

1a) Identify the private key name in the identification file (Not needed for version 5 and above)

robert@server1:~/ $ echo "IdKey id_dsa_2048_a" >> identification

2) Copy the public key to a more descriptive name.

robert@server1:~/$ pwd
/home/robert
robert@server1:~/$ cd .ssh2
robert@server1:~/$ ls -l
total 11
-rw-------   1 robert   staff          1389 Nov 22 19:25 id_dsa_2048_a
-rw-r--r--   1 robert   staff          1257 Nov 22 19:25 id_dsa_2048_a.pub
robert@server1:~/$ cp id_dsa_2048_a.pub server1_ssh2.pub

3) From the remote server (server2) get “robert” Tectia SSH public key from server1.

robert@server2:~$ pwd
/home/robert
robert@server2:~$ mkdir .ssh
robert@server2:~$ chmod 700 .ssh
robert@server2:~$ cd .ssh
robert@server2:~/.ssh$ scp robert@server1:/home/robert/.ssh2/server1_ssh2.pub .
The authenticity of host 'server1' (192.168.1.130)' can't be established.
RSA key fingerprint is cb:98:02:be:4c:0d:80:8e:bc:20:cf:45:03:fc:70:54.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1,192.168.1.130' (RSA) to the list of known hosts.
Password Authentication:
robert's password: ********

server1_ssh2.pub                                            100% 1257     1.2KB/s   00:00

4) Convert Tectia SSH key to OpenSSH format & add it to the authorization file.

robert@server2:~/.ssh$ ssh-keygen -i -f server1_ssh2.pub > server1_ssh.pub
robert@server2:~/.ssh$ cat server1_ssh.pub >> authorized_keys
robert@server2:~/.ssh$ chmod 644 authorized_keys
 

5) Test “robert” automated ssh connection from server1 to server2

robert@server1:~/$ sshg3 robert@server2
Please select how you want to proceed.
cancel) Cancel the connection.
once) Proceed with the connection but do not save the key.
save) Proceed with the connection and save the key for future use.
Please select one (cancel, once, save): save
Authentication successful.
Last login: Sun Nov 22 08:38:03 2009 from server1.maison.ca
robert@server2:~$

robert@server1:~/$ sshg3 robert@server1 date
Authentication successful.
Sun Nov 22 19:56:04 EST 2009
robert@server1:~/$

Automating SSH connection from Tectia SSH to Tectia SSH

ssh2_2_ssh2

This example demonstrate the step needed so that user “robert” can log from server1 (Tectia SSH) to server2 who is also running Tectia SSH, without having to enter a password.

1) Generate “robert” Tectia SSH private and public keys on server1.

robert@server1:~/$ ssh-keygen-g3 (ssh-keygen for version 4)
Generating 2048-bit dsa key pair
153 oOOo.oOo.oOo
Key generated.
2048-bit dsa, robert@server1, Sun Nov 22 2009 19:21:21 -0500
Passphrase : <CR>
Again      : <CR>
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended. Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without the deciphering effort.
Private key saved to /home/robert/.ssh2/id_dsa_2048_a
Public key saved to /home/robert/.ssh2/id_dsa_2048_a.pub
robert@server1:~/$

2) Copy the public key to a more descriptive name.

robert@server1:~$ pwd
/home/robert
robert@server1:~ $ cd .ssh2
robert@server1:~ $ ls -l
total 11
-rw-------   1 robert   staff          1389 Nov 22 19:25 id_dsa_2048_a
-rw-r--r--   1 robert   staff          1257 Nov 22 19:25 id_dsa_2048_a.pub
robert@server1:~ $
robert@server1:~ $ cp id_dsa_2048_a.pub server1_ssh2.pub

3) Identify the private key name in the identification file (Not needed for version 5 and above)

robert@server1:~/ $ echo "IdKey id_dsa_2048_a" >> identification

4) Get “robert” Tectia SSH public key from server1 onto server2.

robert@server2:~/$ scpg3 robert@server1:/home/robert/.ssh2/server1_ssh2.pub . (use scp in V4)
robert@server1s password: ********
server1_ssh2.pub                                   |   514B |   3.7kiB/s | TOC: 00:00:00 | 100%
robert@server2:~/$

5) Add “robert” public key from  server1 to the authorization file on server2.

robert@server2:~/$ echo "Key server1_ssh2.pub" >> ~/.ssh2/authorization

6) Test our automated ssh connection from server1 to server2

robert@server1:~/$ sshg3 robert@server2
Please select how you want to proceed.
cancel) Cancel the connection.
once) Proceed with the connection but do not save the key.
save) Proceed with the connection and save the key for future use.
Please select one (cancel, once, save): save
Authentication successful.
Last login: Sun Nov 22 08:38:03 2009 from server1.maison.ca
robert@server2:~$

robert@server1:~/$ sshg3 robert@server1 date
Authentication successful.
Sun Nov 22 19:56:04 EST 2009
robert@server1:~/$

Hope this article will be usefull for many of us and I hope that you will come back to it when ever you need it.

See you soon.

Categories: Network