Tuesday, 2 June 2009

SSH auto login key generation

To generate a key for SSH login purposes run the following on the computer you want to login FROM.  The key files will be created in the users ~/.ssh/ directory.
# ssh-keygen -t rsa (Could also use -t dsa)
Enter a password if required, if intending to use for an automated account then leave password blank (in which case I STRONGLY recommend you also restrict the command as shown further down). Copy file *.pub to remote server and then add the key to the authorized keys file of the remote user.  Also check permissions are set correctly or it will not work.
# cat *.pub >> ~/.ssh/authorized_keys2
# chmod 600 authorized_keys2
Login with the following to see verbose errors etc:
# ssh -v [email protected]
It is possible to restrict the command which can be run with this type of connection to increase security. This allows us to only allow a specific rsync command for example so if the key is compromised it will limit the damage that can be done. To enforce this edit the beginning of the authorized_keys file as shown below, replacing with the command you want to be run and the correct key.
command="rsync --server -vlogDtprc . /var/www/html" ssh-dss AAAAB3Nz…[rest of key goes here]
See also: SSH tunnels post

Troubleshooting:
Check the file permissions of all the key files (and directories) as if incorrect it will fail with unhelpfull error message.
Note that password expiry policies still apply even if only using keys. The account will still block logins and enforce a password change even if you are trying to login with a key file - not what you want to happen on an automated account...
Check the spelling of the file "authorized_keys" - the number of times I have typed "authorised_keys" by mistake....

No comments:

Post a comment