FAQ: Password-less SSH -- Two Distinct Accounts

"There’s No Such Thing As A Silly Question" -- does the cliche sound familiar? In this part of pimp-my-rig reloaded, technical questions are answered. Mail them to me and I will post the answers here. If you have a better answer, by all means share it with us.

FAQ: The previous FAQ outlined password-less ssh setup for a single account. Another scenario where password-less ssh can be set-up is on two distinct accounts. In this scenario, trust can be established one-way or two-way. Again, the question is: How can you set-up password-less ssh?

One-Way Trust. A very good application for this kind of set-up is one user account (username: user) and one application account (username: appl), where the user account is "trusted" by the application account.

Begin by generating the public and private key pair. Use ssh-keygen to generate keys. Just the same, do not use a passphrase for completely password-less logins to work.

user@host:~ > ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
e8:3a:ad:11:d5:c5:89:7c:32:d6:3f:62:61:12:43:df user@host

You should be seeing the following files inside the .ssh directory (take note of the permissions):
user@host:~/.ssh > ls -la
total 17
drwx------ 2 user users  168 2008-09-09 14:42 .
drwxr-xr-x 9 user users  688 2008-09-09 14:34 ..
-rw-r--r-- 1 user users  622 2008-09-09 14:34 authorized_keys
-rw------- 1 user users 1675 2008-09-09 08:40 id_rsa
-rw-r--r-- 1 user users  396 2008-09-09 08:40 id_rsa.pub

With the public and private key pair generated, the contents of the public key (id_rsa.pub) need to be placed inside the authorized_keys file of the application account. First copy the public key over to the home directory of the application account (key in appl's password when asked):
user@host:~/.ssh > scp id_rsa.pub appl@remote:/home/appl
Password:
id_rsa.pub                                 100%  396     0.4KB/s   00:00

As user "appl", create the .ssh directory with permission 700 (drwx------). A safer and easier way to accomplish this is to generate the public and private key pair as well.

Then save the contents of user's public key to the authorized keys file.
appl@remote:~ > cat id_rsa.pub >> $HOME/.ssh/authorized_keys

On an initial set-up of password-less ssh the file id_rsa.pub can be copied to the file authorized_keys.
user@host:~ > cp id_rsa.pub $HOME/.ssh/authorized_keys

After doing the above steps, subsequent logins for user to appl (at host remote) will not ask for credentials. It will be password-less. One-way trust is established.

Two-Way Trust. As seen above one-way trust can be established by adding the contents of the user's public key to appl's authorized keys. To establish the two-way trust, appl's public key needs to be added to user's authorized keys -- the "reverse".

Generate a public and private key pair, if this has not been generated yet. Assuming that this was done in one of the steps above, all that needs to be done is to copy the public key to the home directory of user.
appl@remote:~/.ssh > scp id_rsa.pub user@host:/home/user
Password:
id_rsa.pub                                 100%  396     0.4KB/s   00:00

Likewise, save the contents of appl's public key to the authorized keys file.
user@host:~ > cat id_rsa.pub >> $HOME/.ssh/authorized_keys

Accomplishing the above steps establishes two-way trust between user and appl. If the accounts are in NIS (auto_home) or a centralized network share for home directories, trust between the accounts can be established from any machine.

In the next FAQ, the steps on password-less ssh from your Windows machine to your _nix machine will be outlined.

You might also be interested in:

Feedback

We at pimp-my-rig strive to keep on improving, help us reach that goal by leaving comments or constructive criticisms. Don't miss out on our next feature -- subscribe via RSS (What is RSS?).

Share This

0 comments: