I have two servers A and B.
Is it possible to do password less logins to B without chnaging anything on B.
I mean i want to configure A with whatever setting so that i can login to B like copying private/public keys etc.
Currently i am adding A public key to B 's authorized_keys.
Is there any other way of doing without editing file on B
Currently i am adding A public key to B 's authorized_keys
This is problematic because anyone - friend of foe - who has access to A's private key, implicitly has access to B.
What I suggest involves a simple setup with a single key pair
You have your own key pair
You copy your public key - and only that - to every server you want to access
On your box you add this to .ssh/config:
Host A
ForwardAgent yes
You run ssh-add
At this point you can connect to A. Big woop, so what ? Well, if from A you connect to B, it will just work. This is very secure and there is a single key you have to worry about: your own.
Read more about SSH agent forwarding at github.
On A & B you firstly must already have generated your pubkeys with (assume you already have):
sudo ssh-keygen
Then use the command from machine A:
ssh-copy-id user#machineB -p <port #>
If you have generated a password for host B's private key you will have to enter that once and machine A's id_pub.rsa contents will be copied into machine B's authorized_keys.
Related
I have two servers A and B , i am trying to ssh from A to B using private-key and i don't want to provide password of server B.
I am trying below command for ssh ::
ssh -i <generated_private_key> <user>#<host name>
the private-key is perfectly fine. but still this command asking for password.
In order to use ssh passwordless connection you need to place the contents of ~/.ssh/id_rsa.pub (id_rsa.pub is just an example could be anything you used durring generation) of the user#local_machine to the ~/.ssh/authorized_keys of the some_user#remote_machine.
Further if other issues exist then you should check /var/log/ for the error.
Edit1:
Based on comments (thanks to #Crazy) if you used passphrase durring creation of the key then you need to recreate the key without the passphrase.
We have 2 Debian servers, one for testing and one for live. I have some scripts which should be executed to transfer data from live to test. For both the servers we use PublicKeyAuthentication where our id_rsa.pub's contents are added to authorized_keys on test server.
Even after doing this, everytime I initiate a transfer from one server to another, I am being asked for password.
I also tried calling ssh-copy-id, but that didn't help and all I got was a duplicate entry in authorized_keys.
Lastly when I try sshpass, I get the following message, and i cannot enter the password as its just a message.
sshpass -v -p 'PASS' ssh root#our_server
SSHPASS searching for password prompt using match "assword"
SSHPASS read: Enter passphrase for key '/root/.ssh/id_rsa':
Any ideas? Thanks.
From the output of sshpass, it seams that it is asking for the password of the key, not the password for the server:
Enter passphrase for key '/root/.ssh/id_rsa'
Protecting your SSH-keys with a password is a good practice, but you can not fully automate things that way, as you discovered. Depending on your situation, you can do either of the following:
Use an SSH-agent. This is a daemon that will ask your password once, and keep the private key cached until you remove it. This still has the benefit that your SSH-key is stored password-protected on disk, but you can use it as a password-less key.
This has the added benefit that you can forward SSH-agent over SSH: if you SSH from your machine to server A, and then further on to server B, this last connection can use the key stored on your machine (instead of having to copy your key to server A).
Remove the password from the key entirely (you can use ssh-keygen to change the password to be blank)
How do you execute data transfer? Is it scp? Check your system usernames, make sure public keys are installed to authorized_keys file for correct user.
I have few doubts regarding using private/public key on linux.
Suppose i have two linux boxes A and B.
I want to use password less logins to B from any computer.
so on A i did this
ssh-gen -t rsa and it made two files
id_rsa and id_rsa.pub
Then i copied id_rsa.pub to B ~/.ssh/A_id_rsa.pub and then
cat A_id_rsa.pub >> authorized_keys
Now i have these questions
Suppose i have another computer C where i also want to have passwordless login but i want to use key phrase to protect the private key. so can i generate another key using ssh-gen -t rsa with different name and use that or i have to delete the previous key
The other thing is for password less logins do need to do anything with keys from B to A or its always from A to B
So the private key will always stay on host computer only? i have seen that AWS gives the private key for login. then why is that. Beuase for putting A public key to B someone needs to access B. which is not possible for first time. so does it mean we can login with either public key or private key
Yes, you can generate a key pair on C and do the same that you did for A:
cat C_id_rsa.pub >> authorized_keys
The keys will only allow logins from A to B.
Yes the private key will stay on the host computer. I believe AWS automatically puts the public key on computer B while it creates the virtual box.
In a quick line or two:
The keys somewhat work like (very roughly): you need the public key to decrypt what is encrypted by private key and vice-versa. To be more precise, http://en.wikipedia.org/wiki/Public-key_cryptography has way better information to start with.
So to answer the questions: The private key is not normally tied to a computer. You could copy the private key from, say A to C and could login by using it from C.
You could generate multiple keys on a single host, one key-pair for each set of hosts. Similarly, you could generate keys from multiple hosts, each host publishing it's key to the target computer's (B in this example) 'authorized_keys' file.
Ideally, the private key should be as secret as possible. While the SSH or key-management would not force having the key on one computer, it should be limited to a single system as a best practice. Having said that, as far I know there is really nothing that prevents copying the private key around, say for backup or migration to a new system. In other words, the private key file is like the password, it could be literally used from any system to login.
I want to copy directories with scp from server A to a remote server B. As i want to do this with a script I generated a private and a public key for the server, which work fine with winScp.
but when i try to copy with shell/skript
scp -i <DIR>/key.ppk $tmpDirA/*.war $username#$server:$TmpDirB
Im getting asked for the passphrase
Enter passphrase for key '<DIR>/key.ppk'
even the passphrase was left empty when generating the keys.
both server(openSuse) have openSsh, protocol 2. and the keys are rsa-keys
This keys are not generated with the server A. Does it matter?
I cant see what point im missing. So thanks for any help.
Are you trying to use a PUTTY private key? Openssh does not support putty private key files, but PUTTYgen can export to a format openssh understands.
Are you sure ssh chooses the right key when copying?
Create a config file in ~/.ssh and define different hosts there, this ensures that ssh chooses the correct key.
Linux man page
I have 2 servers with which I work: first one is application server and another one is archival server.
I access both of these servers using F-Secure SSH Client using the same user id and public-private key pair for authentication. It means that private key is stored on the Windows machine and public key is stored on both servers.
Now I need to access archival server from application server. To do that I have to do a key exchange first.
What is a standard aproach in this case? Do I just copy my private key from Windows to the application server? Would it compromise security? Or I need to generate a new key pare?
I appretiate your help!
P.S. I am relatively new to Unix administration, so don't be very hard on me :)
The standard approach is:
Generate on each machine/user a new private/public key pair
Use authorized keys file in .ssh and add every public key
Copy this authorized keys file to every remote host
Sidenote: The authorized key file as well as the key pairs are user#machine related
Sidenote2: Usually ppl block root completely from this process. Root should be neither accessible via pw auth nor with key auth.
#fyr's answer is correct, however you don't need to manually add or copy anything. You can do it with ssh-copy-id.
Assuming that the SSH server on your new machine is already running, from your old machine (which already has an SSH key pair, if not run ssh-keygen), run
ssh-copy-id -i ~/.ssh/mykey user#host
where the -i parameter denotes the location of your public key. The ssh-copy-id tool will add the .pub extension if necessary, so it won't be trying to send your private key.
A real-world example of this, let's say to exchange keys with a Raspberry Pi, would be:
ssh-copy-id -i ~/.ssh/id_rsa pi#192.168.1.11
This will ask for your password, but just once. If the key exchange is successful, you'll be able to ssh into it without needing a password.