Using SSH and SCP without entering password
When administrating a lot of Unix servers, there are some situation when you need to run a script from one server to another without entering a password. For example, let’s say that you need to take a cold backup of a Oracle database, but before starting it, you need to stop the application running on another server. In your Oracle backup script, you could “ssh” to application server and run a script that would stop the application before starting the backup. But to do that with a script, you need a way to log on the application server without having to enter a password.
In this article, we will demonstrate how to configure SSH in such a way that it will allow you to log from one server to another, without having to enter a password. Some environment are using the OpenSSH version on their Linux servers and the commercial Tectia SSH on the AIX servers. OpenSSH and Tectia SSH don’t have the same keys format and depending on the version you are running, making an automated connection between these two version can become tricky. In our examples, we will demonstrate the setup require, so that user “robert” is able to log from server1 to server2 without having to enter a password in a mixed environment of OpenSSH and Tectia SSH.
OpenSSH server configuration (/etc/ssh/sshd_config)
If you are using OpenSSH and you have secure your ssh environnent, chance are that you disable direct “root” access to your server with the line “PermitRootLogin no” in your ssh daemon configuration file. If you change that line with “PermitRootLogin without-password”, then direct login to “root” would still be refuse. But, if you have configure your server to accept public key identification (PubkeyAuthentication yes) and that the proper setup is done, you should be able to log on the server with no password. Below is the Openssh configuration file that I use for all the examples below.
Port 22 Protocol 2 SyslogFacility AUTH SyslogFacility AUTHPRIV LoginGraceTime 120 PermitRootLogin without-password PubkeyAuthentication yes HostbasedAuthentication no PasswordAuthentication yes RhostsRSAAuthentication no IgnoreRhosts yes StrictModes yes UsePrivilegeSeparation yes AllowTcpForwarding no X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server
The OpenSSH version used for all the examples below is ;
# ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Tectia SSH server configuration (/etc/ssh2/ssh-server-config.xml)
The only action needed to permit public key authentication for users is to list ‘publickey’ as an allowed authentication method in the ssh-server-config.xml file:
<authentication-methods>
<authentication action="allow">
<auth-publickey />
...
</authentication>
</authentication-methods>
Other authentication methods can also be allowed. Place the least interactive method first.
For all the Tectia SSH examples below we used the following version ;
# sshg3 -V sshg3.bin: SSH Tectia Client 6.1.3 on powerpc-ibm-aix5.1.0.0 Build: 59 Product: SSH Tectia Client
Automating SSH connection from OpenSSH to OpenSSH
This example demonstrate how to setup public key authentication so that user “robert” can log from server1 (OpenSSH) to server2 (OpenSSH), without having to enter a password.
1) Generate the private and public key for user “robert” on server1.
robert@server1:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/robert/.ssh/id_rsa): Created directory '/home/robert/.ssh'. Enter passphrase (empty for no passphrase): <CR> Enter same passphrase again: <CR> Your identification has been saved in /home/robert/.ssh/id_rsa. Your public key has been saved in /home/robert/.ssh/id_rsa.pub. The key fingerprint is: 6f:17:ac:ac:b6:9c:13:90:57:aa:ee:1c:b1:e0:93:e2 robert@server1 robert@server1:~$ cd .ssh robert@server1:~/.ssh$ ls -l total 3 -rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa -rw-r--r-- 1 robert robert 404 Nov 22 08:19 id_rsa.pub robert@server1:~/.ssh$
2) Copy the public key file to a more descriptive name.
robert@server1:~/.ssh$ cp id_rsa.pub server1_rsa.pub robert@server1:~/.ssh$ ls -l total 4 -rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa -rw-r--r-- 1 robert robert 404 Nov 22 08:19 id_rsa.pub -rw-r--r-- 1 robert robert 404 Nov 22 08:24 server1_rsa.pub robert@server1:~/.ssh$
3) Create the .ssh directory on the remote server and copy the public key from server1 onto server2.
robert@server2:~$ pwd /home/robert robert@server2:~$ mkdir .ssh robert@server2:~$ chmod 700 .ssh robert@server2:~$ cd .ssh robert@server2:~/.ssh$ scp robert@server1:/home/robert/.ssh/server1_rsa.pub . The authenticity of host 'server1 (192.168.1.101)' can't be established. RSA key fingerprint is b4:8d:56:71:c9:7e:97:ba:79:87:95:0d:8a:29:fc:9a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server1,192.168.1.101' (RSA) to the list of known hosts. robert@server1's password: ********* server1_rsa.pub 100% 404 0.4KB/s 00:00
4) Add “robert” public key from server1 to the authorized_keys file on server2
robert@server2:~/.ssh$ ls -l total 2 -rw-r--r-- 1 robert robert 401 Nov 22 08:29 known_hosts -rw-r--r-- 1 robert robert 404 Nov 22 08:31 server1_rsa.pub robert@server2:~/.ssh$ robert@server2:~/.ssh$ cat server1_rsa.pub >> authorized_keys robert@server2:~/.ssh$ chmod 644 authorized_keys
5) Test our automated ssh connection from server1 to server2
The first time you will need to accept connection. After that first connection, there will be no confirmation needed.
robert@server1:~/.ssh$ ssh server2 The authenticity of host 'server2 (192.168.1.133)' can't be established. RSA key fingerprint is 28:cc:97:fb:ec:79:94:7f:bf:ef:82:bd:d2:c4:41:d2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server2,192.168.1.133' (RSA) to the list of known hosts. robert@server2:~$ robert@server1:~/.ssh$ ssh server2 Last login: Sun Nov 22 08:36:41 2009 from server1.maison.ca robert@server2:~$
Automating SSH connection from OpenSSH to Tectia SSH
This example demonstrate how to setup public key authentication so that user “robert” can log from server1 (OpenSSH) to server2 (Tectia SSH), without having to enter a password.
1) Generate “robert” private and public keys on the local server (server1).
robert@server1:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/robert/.ssh/id_rsa): Created directory '/home/robert/.ssh'. Enter passphrase (empty for no passphrase): <CR> Enter same passphrase again: <CR> Your identification has been saved in /home/robert/.ssh/id_rsa. Your public key has been saved in /home/robert/.ssh/id_rsa.pub. The key fingerprint is: 6f:17:ac:ac:b6:9c:13:90:57:aa:ee:1c:b1:e0:93:e2 robert@server1:~$ robert@server1:~$ cd .ssh robert@server1:~/.ssh$ ls -l total 3 -rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa -rw-r--r-- 1 robert robert 404 Nov 22 08:19 id_rsa.pub robert@server1:~/.ssh$
2) Copy the public key to a more descriptive name and convert to Tectia SSH format
robert@server1:~/.ssh$ cp id_rsa.pub server1_rsa.pub robert@server1:~/.ssh$ ssh-keygen -e -f server1_rsa.pub > server1_ssh2.pub robert@server1:~/.ssh$ ls -l total 6 -rw------- 1 robert robert 1675 Nov 22 08:19 id_rsa -rw-r--r-- 1 robert robert 404 Nov 22 08:19 id_rsa.pub -rw-r--r-- 1 robert robert 401 Nov 22 08:36 known_hosts -rw-r--r-- 1 robert robert 404 Nov 22 08:24 server1_rsa.pub -rw-rw-r-- 1 robert robert 514 Nov 22 10:15 server1_ssh2.pub robert@server1:~/.ssh$
3) From the remote server (server2) get “robert” Tectia SSH public key from server1.
robert@server2:~/$ ls -al total 4 drwxr-xr-x 2 robert staff 512 Nov 22 08:59 . drwxr-xr-x 7 bin bin 512 Nov 22 08:58 .. -rwxr----- 1 robert staff 254 Nov 22 08:58 .profile -rw------- 1 robert staff 110 Nov 22 10:08 .sh_history robert@server2:~/$ mkdir .ssh2 robert@server2:~/$ chmod 700 .ssh2 robert@server2:~/$ cd .ssh2 robert@server2:~/$ scpg3 robert@server1:/home/robert/.ssh/server1_ssh2.pub . (replace scpg3 by scp if using V4) robert@server1 password: ******** server1_rsa_ssh2.pub | 514B | 3.7kiB/s | TOC: 00:00:00 | 100% robert@server2:~/$
4) Add “robert” public key on server1 to the authorization file on server2.
robert@server2:~/$ echo "Key server1_ssh2.pub" >> ~/.ssh2/authorization
5) Test our automated ssh connection from server1 to server2
robert@server1:~/.ssh$ ssh robert@server2 The authenticity of host 'server2 (192.168.1.130)' can't be established. RSA key fingerprint is cb:98:02:be:4c:0d:80:8e:bc:20:cf:45:03:fc:70:54. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server2,192.168.1.130' (RSA) to the list of known hosts. robert@server2:~/.ssh$ robert@server1:~/.ssh$ ssh robert@server2 date Sun Nov 22 10:16:06 EST 2009 robert@server1:~/.ssh$
Automating SSH connection from Tectia SSH to OpenSSH
This example demonstrate how to setup public key authentication so that user “robert” can log from server1 (Tectia SSH) to server2 (OpenSSH), without having to enter a password.
1) Generate Tectia SSH private and public keys for user “robert” on server1.
robert@server1:~/$ ssh-keygen-g3 (use ssh-key if using V4) Generating 2048-bit dsa key pair 153 oOOo.oOo.oOo Key generated. 2048-bit dsa, robert@server1, Sun Nov 22 2009 19:21:21 -0500 Passphrase : <CR> Again : <CR> Key is stored with NULL passphrase. (You can ignore the following warning if you are generating hostkeys.) This is not recommended. Don't do this unless you know what you're doing. If file system protections fail (someone can access the keyfile), or if the super-user is malicious, your key can be used without the deciphering effort. Private key saved to /home/robert/.ssh2/id_dsa_2048_a Public key saved to /home/robert/.ssh2/id_dsa_2048_a.pub robert@server1:~/$
1a) Identify the private key name in the identification file (Not needed for version 5 and above)
robert@server1:~/ $ echo "IdKey id_dsa_2048_a" >> identification
2) Copy the public key to a more descriptive name.
robert@server1:~/$ pwd /home/robert robert@server1:~/$ cd .ssh2 robert@server1:~/$ ls -l total 11 -rw------- 1 robert staff 1389 Nov 22 19:25 id_dsa_2048_a -rw-r--r-- 1 robert staff 1257 Nov 22 19:25 id_dsa_2048_a.pub robert@server1:~/$ cp id_dsa_2048_a.pub server1_ssh2.pub
3) From the remote server (server2) get “robert” Tectia SSH public key from server1.
robert@server2:~$ pwd /home/robert robert@server2:~$ mkdir .ssh robert@server2:~$ chmod 700 .ssh robert@server2:~$ cd .ssh robert@server2:~/.ssh$ scp robert@server1:/home/robert/.ssh2/server1_ssh2.pub . The authenticity of host 'server1' (192.168.1.130)' can't be established. RSA key fingerprint is cb:98:02:be:4c:0d:80:8e:bc:20:cf:45:03:fc:70:54. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server1,192.168.1.130' (RSA) to the list of known hosts. Password Authentication: robert's password: ******** server1_ssh2.pub 100% 1257 1.2KB/s 00:00
4) Convert Tectia SSH key to OpenSSH format & add it to the authorization file.
robert@server2:~/.ssh$ ssh-keygen -i -f server1_ssh2.pub > server1_ssh.pub robert@server2:~/.ssh$ cat server1_ssh.pub >> authorized_keys robert@server2:~/.ssh$ chmod 644 authorized_keys
5) Test “robert” automated ssh connection from server1 to server2
robert@server1:~/$ sshg3 robert@server2 Please select how you want to proceed. cancel) Cancel the connection. once) Proceed with the connection but do not save the key. save) Proceed with the connection and save the key for future use. Please select one (cancel, once, save): save Authentication successful. Last login: Sun Nov 22 08:38:03 2009 from server1.maison.ca robert@server2:~$ robert@server1:~/$ sshg3 robert@server1 date Authentication successful. Sun Nov 22 19:56:04 EST 2009 robert@server1:~/$
Automating SSH connection from Tectia SSH to Tectia SSH
This example demonstrate the step needed so that user “robert” can log from server1 (Tectia SSH) to server2 who is also running Tectia SSH, without having to enter a password.
1) Generate “robert” Tectia SSH private and public keys on server1.
robert@server1:~/$ ssh-keygen-g3 (ssh-keygen for version 4) Generating 2048-bit dsa key pair 153 oOOo.oOo.oOo Key generated. 2048-bit dsa, robert@server1, Sun Nov 22 2009 19:21:21 -0500 Passphrase : <CR> Again : <CR> Key is stored with NULL passphrase. (You can ignore the following warning if you are generating hostkeys.) This is not recommended. Don't do this unless you know what you're doing. If file system protections fail (someone can access the keyfile), or if the super-user is malicious, your key can be used without the deciphering effort. Private key saved to /home/robert/.ssh2/id_dsa_2048_a Public key saved to /home/robert/.ssh2/id_dsa_2048_a.pub robert@server1:~/$
2) Copy the public key to a more descriptive name.
robert@server1:~$ pwd /home/robert robert@server1:~ $ cd .ssh2 robert@server1:~ $ ls -l total 11 -rw------- 1 robert staff 1389 Nov 22 19:25 id_dsa_2048_a -rw-r--r-- 1 robert staff 1257 Nov 22 19:25 id_dsa_2048_a.pub robert@server1:~ $ robert@server1:~ $ cp id_dsa_2048_a.pub server1_ssh2.pub
3) Identify the private key name in the identification file (Not needed for version 5 and above)
robert@server1:~/ $ echo "IdKey id_dsa_2048_a" >> identification
4) Get “robert” Tectia SSH public key from server1 onto server2.
robert@server2:~/$ scpg3 robert@server1:/home/robert/.ssh2/server1_ssh2.pub . (use scp in V4) robert@server1s password: ******** server1_ssh2.pub | 514B | 3.7kiB/s | TOC: 00:00:00 | 100% robert@server2:~/$
5) Add “robert” public key from server1 to the authorization file on server2.
robert@server2:~/$ echo "Key server1_ssh2.pub" >> ~/.ssh2/authorization
6) Test our automated ssh connection from server1 to server2
robert@server1:~/$ sshg3 robert@server2 Please select how you want to proceed. cancel) Cancel the connection. once) Proceed with the connection but do not save the key. save) Proceed with the connection and save the key for future use. Please select one (cancel, once, save): save Authentication successful. Last login: Sun Nov 22 08:38:03 2009 from server1.maison.ca robert@server2:~$ robert@server1:~/$ sshg3 robert@server1 date Authentication successful. Sun Nov 22 19:56:04 EST 2009 robert@server1:~/$
Hope this article will be usefull for many of us and I hope that you will come back to it when ever you need it.
See you soon.
mk1Syn Got it! Thanks a lot again for helping me out!