Find the answer to your Linux question:
Results 1 to 6 of 6
Hi all. What's the best/easiest way to setup passwordless logins to ssh from a certain computer? I have a server on my computer and administrate it through SSH, and just ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru sdousley's Avatar
    Join Date
    Feb 2004
    Posts
    1,790

    Simple method to setup passwordless login to SSH


    Hi all.

    What's the best/easiest way to setup passwordless logins to ssh from a certain computer? I have a server on my computer and administrate it through SSH, and just wanted a way of being able to log into it without having to type the password in all the time.

    If possible i would like it so that i can only log in without a password from ONLY my other computer on the network as i'm in a house with other Uni mates who don't know much bout computers.
    "I am not an alcoholic, alcoholics go to meetings"
    Registered Linux user = #372327

  2. #2
    Just Joined!
    Join Date
    Sep 2004
    Location
    So-Cal
    Posts
    17
    Best one I've found yet and works like a charm on my multiple gnu/linux machines:

    http://bumblebee.lcs.mit.edu/ssh2/

  3. #3
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    i dunno about the specifc security threats this might pose, but i feel obligated to warn you that every extra conveniecne to the enduser generaly creates another securty issue, its up to yoyu, just my 2 cents. But I dont think typing a password is that bad..... most clients allow you to store the passwd, so its about the same, except your client is actualy handling it, as opposed to just configing the server to accept logins from other boxes, but whatever floats your boat.
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer Giro's Avatar
    Join Date
    Jul 2003
    Location
    England
    Posts
    1,219
    There is nothing wrong really with using keys just the same a normall but yopu dont keep typing a damn password in. Also good for running scp in batch mode!!

  6. #5
    Linux Guru sdousley's Avatar
    Join Date
    Feb 2004
    Posts
    1,790
    Quote Originally Posted by qub333
    i dunno about the specifc security threats this might pose, but i feel obligated to warn you that every extra conveniecne to the enduser generaly creates another securty issue, its up to yoyu, just my 2 cents. But I dont think typing a password is that bad..... most clients allow you to store the passwd, so its about the same, except your client is actualy handling it, as opposed to just configing the server to accept logins from other boxes, but whatever floats your boat.
    Surely what i want to do here would only pose a security threat if people logged onto my computer. as the user i set this up with. as it would only use the keys i setup as the user i wanted to.
    "I am not an alcoholic, alcoholics go to meetings"
    Registered Linux user = #372327

  7. #6
    Just Joined!
    Join Date
    Sep 2004
    Location
    So-Cal
    Posts
    17
    In my opinion it is far worse to let a client store a password than using the public key method. In fact, a password isn't needed at all, and by following the method I linked to you'll see that it's blank. Sure that sounds bad, but when you understand how public key crypt works it's a lot safer.

    The client machine generates a private and public key, this public key is then sent to the server you are logging into. This public key is added to a list of authorized _keys that only the owner/user on the server can access:

    Code:
    micheal@jezebel:~/.ssh$ ls -l
    -rw-r-----  1 micheal micheal  605 May 25 17:49 authorized_keys2
    The only way you will be able to log into the server without a password is if the client has this private key. It's called a private key for a reason, no one else should have access to it and it should never be distributed.

    Now when an authorized client connects to a server, it checks the public key on the server with it's private key, if they are a match the login is allowed to continue passwordless. If there isn't a match, then the client is prompted for a normal password login. This is pretty much exactly how normal password authentication works, it generates a hash based on your "private key", aka your password, and if it matches what's stored in /etc/passwd it lets you in.

    On the contrary, if a ssh client actually stores the password in a file, this file can be used to gain the actual password for the account including other passwords you have stored, opening up a huge security risk.

    Putting a password in every now and them may seem like something trivial, but Giro is correct with the "batch mode", I myself use this method to scp backup files over the net in a weekly cron job. It's also a lot easier to do remote administration using scripts and other utilities. If a private key is compromised and access is gained, only that account is vulnerable and other accounts remain safe.

    If you are still unsure that this isn't secure enough, setup your server/client to use SSH in inet mode with tcpwrappers, and only allow certain machines or networks access in your hosts.allow. This takes away from the convience of being able to log in from anywhere you want, but it is also is a strong barrier for an intruder to gain a foothold.

    Also never ever use a passwordless login for a root account, in fact, never log in as root any time and completely disable root logins in sshd.conf, just use sudo as a normal user.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •