Individual Entry

ssh-ecurity — Part 4: Look Ma', no passwords!

If you've been following along since the first installment, no doubt you've decided to give ssh a whirl. If you have, you have discovered the host key login mechanics discussed in the previous installment. The use of host key authentication is fine for most purposes; especially, when you will log into a remote system and spend much of your time at its command line. Additionally, it's also acceptable for those occasional remote command executions you may need to perform. You use the ssh, specify your remote username and the remote host, and it prompts you for your password on that remote host. If you oblige it by supplying your password to authenticate yourself, you are securely logged in. So, what then is public key authentication?

The last installment of this blog was a discussion about keys used in ssh communications and authentication. The purpose for discussing keys in the last installment was to prepare you for the discussion this installment. To date, the discussion has been assuming host key authentication wherein ssh will require you to authenticate your account (username and password) with the remote system's authorization database over a secure encrypted channel. But what about the other authentication scheme — public key authentication — and what does it do that host key authentication does not?

Well, for one, public key authentication will identify you to the remote system by a unique set of keys that only you, conceivably, should possess. So what does this mean in terms of logging into the remote system? Well, it means that you and your client system are authenticated without having to send along a password used to authenticate yourself with the remote system's authorization database. In simple terms, you can ssh into a remote system without a password.

OK, so now you are wondering why you might want to do that. It's not a big effort to type you password. That answer to that is, no it is not. However, there are benefits to being able to use ssh without a password.

Let's take a step back to the second installment; using ssh to execute remote commands. In that installment I used the example of issuing a command with ssh to get the uptime on an OpenVMS system and on a Linux system. Suppose you wanted to perform this task in your organization with many more than two systems. You might consider tossing a set of ssh remote command execute commands into a script or DCL procedure. Well, let's see what happens.

Here is file which can be used on both OpenVMS (UPTIMES.COM), Linux and Mac OS X (uptimes.sh).

ssh myusername@myvms.mydomain.com SHOW SYSTEM/NOPROCESSES
ssh myusername@mylinux.mydomain.com uptime

On OpenVMS, executing this $ @UPTIMES" without DCL verification enabled will cause each command executed to prompt for the account's password.

$ @UPTIMES
myusername's password:
OpenVMS V7.3-2 on node MYVMS 28-JUL-2009 16:59:34.03 Uptime 552 02:54:46
myusername's password:
17:02:24 up 9 days, 7:57, 4 users, load average: 0.28, 0.25, 0.2
$

On Linux or Mac OS X, the results are similar.

% /bin/sh ./uptimes.sh
myusername's password:
OpenVMS V7.3-2 on node MYVMS 28-JUL-2009 16:59:34.03 Uptime 552 02:54:46
myusername's password:
17:02:24 up 9 days, 7:57, 4 users, load average: 0.28, 0.25, 0.2
%

The only thing gained by putting these commands into a file for execution is that it saves the time spent having to type them all in whenever you need to gather the remote systems' uptime. Wouldn't it be nice to get all of the system uptimes without having to be prompted to specify the system's password? Sure it would and I'm sure you've already thought, "Hey, I can just put my passwords in the file." Bzzzt! Wrong answer! Thank you for playing. First, ssh will not accept it and, secondly, from a security viewpoint you should be severely flogged for even thinking about storing any password in plain text anywhere!

The proper answer is, of course, to use public key authentication.

Because I've discussed OpenVMS, Linux and Mac OS X here, I am going to detail the process, command by command to establish public key authentication between OpenVMS and the unix-like Linux and Max OS X. The process is very similar and there's a plethora of information on doing just this very thing for unix-like OSs but there's very little detailing the nuances of setting this up when OpenVMS is in the equation.

Let's first look at the unix-like realms. This is well documented and if you find yourself facing problems getting public key authentication to function for you, you can likely find the answer via google.

The procedure for establishing public key authentication is, generally, the same for all platforms:
  1. Generate the public-private key pair.
  2. Put the generated public key on the remote server.
Simple!

Here's a look at the commands to setup public key encryption between two unix-like OSs. For clarity, let's assume one is Ubuntu Linux (hostname: ubuntu) and the other Mac OS X (hostname: macosx). This example will be generating the public-private key on the Ubuntu Linux system to facilitate no password login to the Mac OS X system. In all cases, no passphrase will be used; after all, we want to implement a scheme whereby we will not be prompted for any authentication input, so enter a return when prompted for passphrase and passphrase verification. These examples will also make use of everything discussed about ssh until now.

Linux/Mac OS X ⇒ Linux/Mac OS X


ubuntu$ cd $HOME
ubuntu$ #################################################################
ubuntu$ # generate the public-private keys using the RSA algorithm
ubuntu$ #################################################################
ubuntu$ $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
f0:e1:d2:c3:b4:a5:96:87:78:69:5a:4b:3c:2d:1e:0f username@ubuntu
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| |
| S . |
| + .o. |
| + o....=.|
| . +.=B + +|
| ..OX E . |
+-----------------+
ubuntu$ #################################################################
ubuntu$ # create the .ssh directory on remote whether or not it exists
ubuntu$ #################################################################
ubuntu$ ssh username@macosx mkdir -p .ssh
username@macosx's passsword:
ubuntu$ #################################################################
ubuntu$ # transfer public key to remote/append $HOME/.ssh/authorized_keys
ubuntu$ #################################################################
ubuntu$ cat .ssh/id_rsa.pub | ssh username@macosx 'cat >>
.ssh/authorized_keys'
username@macosx's passsword:
ubuntu$ #################################################################
ubuntu$ # public key login to maxosx is now possible with ssh/test it out
ubuntu$ #################################################################
ubuntu$ ssh username@macosx
Last login: Wed Jul 29 16:23:28 2009
maxosx[~] %

As you can see, the process is amazingly simple even if you don't completely fathom the piping in the 'cat' command used to forward the public key to the remote Max OS X system.

Now, let's take a look at this same process only this time, the remote system is an OpenVMS system. The only significant difference is that OpenVMS systems expect the public key to be specified in RFC 4716: SSH Public Key File Format. This means that there will be a secondary step in the process. OpenVMS also maintains public keys in separate files indexed by a file called AUTHORIZATION. Unix systems simply append new public keys to a single file.

To illustrate this, the same linux system (hostname: ubuntu) will generate a public-private key and then establish the public key on an OpenVMS system (hostname: openvms).

Linux/Mac OS X ⇒ OpenVMS


ubuntu$ cd $HOME
ubuntu$ #################################################################
ubuntu$ # generate the public-private keys using the RSA algorithm
ubuntu$ #################################################################
ubuntu$ $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
f0:e1:d2:c3:b4:a5:96:87:78:69:5a:4b:3c:2d:1e:0f username@ubuntu
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| |
| S . |
| + .o. |
| + o....=.|
| . +.=B + +|
| ..OX E . |
+-----------------+
ubuntu$ #################################################################
ubuntu$ # manipulate public key into RFC 4716 SSH Public Key File Format
ubuntu$ #################################################################
ubuntu$ ssh-keygen -e -f ~/.ssh/id_rsa > ~/.ssh/UBUNTU.PUB
ubuntu$ #################################################################
ubuntu$ # sftp to the OpenVMS system to copy the public key
ubuntu$ #################################################################
ubuntu$ sftp username@openvms
username@openvms's password:
sftp> put ./.ssh/UBUNTU.PUB ssh2/UBUNTU.PUB
sftp> exit
ubuntu$ #################################################################
ubuntu$ # login to remote system to create/edit the AUTHORIZATION file
ubuntu$ #################################################################
ubuntu$ ssh username@openvms
username@openvms's password:
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! edit the [.SSH2]AUTHORIZATION. file and add 'KEY UBUNTU.PUB'
OPENVMS$ ! note, for EACH system's public key you add to the [.SSH2]
OPENVMS$ ! directory, you must add an associated 'KEY <filename>.PUB'
OPENVMS$ ! to the [.SSH2]AUTHORIZATION. file.
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ EDIT [.SSH2]AUTHORIZATION.
KEY UBUNTU.PUB
<save and exit>
OPENVMS$ LOGOUT
ubuntu$ #################################################################
ubuntu$ # public key login to openvms is now possible with ssh/test it
ubuntu$ #################################################################
ubuntu$ ssh username@openvms
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.3 on node OPNVMS
Last interactive login on Wednesday, 29-JUL-2009 18:10:15.85
Last non-interactive login on Tuesday, 28-JUL-2009 16:58:24.84
$

You now have template examples to setup public key authentication with ssh between unix-like and unix-like systems and unix-like and OpenVMS. Now, let's look at what it takes to setup OpenVMS to unix-like systems and OpenVMS to OpenVMS. The crux of what is needed has already been demonstrated but, once again, there is a minor difference in the generation of the public-private key on OpenVMS.

OpenVMS ⇒ Linux/Mac OS X


OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! make certain that the TCPIP Services commands are defined
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! generate the public-private keys using the RSA algorithm
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ SSH_KEYGEN -t rsa
Generating 2048-bit rsa key pair
1 oOo.oOo.oOo.
2 Oo.oOo.oOo.o
3 o.oOo.oOo.oO
4 .oOo.oOo.oOo
5 oOo.oOo.oOo.
6 Oo.oOo.oOo.o
7 o.oOo.oOo.oO
8 .oOo.oOo.oOo
9 oOo.oOo.oOo.
10 Oo.oOo.oOo.o
11 o.oO
Key generated.
2048-bit rsa, username@openvms, Wed Jul 29 2009 22:30:07
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to ssh2/id_rsa_2048_a
Public key saved to ssh2/id_rsa_2048_a.pub
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! private key must now be identified in [.SSH]IDENTIFICATION.
OPENVMS$ ! edit the IDENTIFICATION. file and add 'IdKey ID_RSA_2048_A'
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ EDIT [.SSH2]IDENTIFICATION.
IdKey ID_RSA_2048_A
<save and exit>
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! sftp to the ubuntu linux system to copy the public key
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ sftp username@ubuntu
username@ubuntu's password:
sftp> put ssh2/id_rsa_2048_a.pub
sftp> exit
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! login to the remote to create/append to the authorized_keys
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ssh username@ubuntu
username@ubuntu's password:
ubuntu$ #################################################################
ubuntu$ # OpenVMS public key in RFC 4716 SSH Public Key File Format must
ubuntu$ # converted for linux use before appending it to authorized_keys
ubuntu$ #################################################################
ubuntu$ ssh-keygen -i -f id_rsa_2048_a.pub > cat >> .ssh/authorized_keys
ubuntu$ exit
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! public key login to ubuntu is now possible with ssh/test it
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ssh username@ubuntu
Ubuntu 2.6.27-14-server #1 SMP Fri Jul 24 23:04:35 UTC 2009 i686
Last login: Wed Jul 29 16:57:34 2009 from openvms
ubuntu$

One last combination remains to be addressed, that is OpenVMS to OpenVMS.

OpenVMS ⇒ OpenVMS


OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! make certain that the TCPIP Services commands are defined
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! generate the pubic-private keys using the RSA algorithm
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ SSH_KEYGEN -t rsa
Generating 2048-bit rsa key pair
1 oOo.oOo.oOo.
2 Oo.oOo.oOo.o
3 o.oOo.oOo.oO
4 .oOo.oOo.oOo
5 oOo.oOo.oOo.
6 Oo.oOo.oOo.o
7 o.oOo.oOo.oO
8 .oOo.oOo.oOo
9 oOo.oOo.oOo.
10 Oo.oOo.oOo.o
11 o.oO
Key generated.
2048-bit rsa, username@openvms, Wed Jul 29 2009 22:30:07
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to ssh2/id_rsa_2048_a
Public key saved to ssh2/id_rsa_2048_a.pub
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! private key must now be identified in [.SSH]IDENTIFICATION.
OPENVMS$ ! edit the IDENTIFICATION. file and add 'IdKey ID_RSA_2048_A'
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ EDIT [.SSH2]IDENTIFICATION.
IdKey ID_RSA_2048_A
<save and exit>
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! sftp to the OpenVMS system to copy the public key
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVM$ sftp username@openvms2
username@openvms2's password:
sftp> put ssh2/id_rsa_2048_a.pub ssh2/OPENVMS.PUB
sftp> exit
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! login to remote OpenVMS to create/edit the AUTHORIZATION file
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ssh username@openvms2
username@openvms2's password:
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! edit the [.SSH2]AUTHORIZATION. file and add 'KEY OPENVMS.PUB'
OPENVMS$ ! note, for EACH system's public key you add to the [.SSH2]
OPENVMS$ ! directory, you must add an associated 'KEY <filename>.PUB'
OPENVMS$ ! to the [.SSH2]AUTHORIZATION. file.
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ EDIT [.SSH2]AUTHORIZATION.
KEY OPENVMS.PUB
<save and exit>
OPENVMS$ LOGOUT
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! public key login to openvms2 is now possible with ssh/test it
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ssh username@openvms2
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.3 on OVMS2
Last interactive login on Wednesday, 29-JUL-2009 18:10:15.85
Last non-interactive login on Tuesday, 28-JUL-2009 16:58:24.84
OVMS2$

There you have it. Complete examples for four different scenarios establishing public key authentication for use with ssh. From these examples, you should have no problem getting your environment setup to use ssh public key authentication.

Reader Comment

I just tried the Linux/Mac OS X ⇒ OpenVMS method, and for some reason UBUNTU.PUB landed on the OpenVMS system as $UBUNTU.PUB.

Solution: rename $UBUNTU.PUB to UBUNTU.PUB

Success!

by: Paul Sture on 18-Feb-2011 06:21

Reader Comment

Hey VAXman – thanks for this excellent example! It’s been so long since I’ve done this that I missed the key format conversion step required on unix until I ran across your blog

by: Carl Karcher on 03-Aug-2011 15:32


Comments?


To thwart automated comment SPAM, you must answer this question to post.

Comment moderation is enabled. Your comment(s) will not be visisble until approved.
Remember personal info?
Notify?
Hide email?
All html tags, with the exception of <b> and <i>, will be removed from your comment. You can make links by simply typing the url or email-address.

Calendar

« May 2017 »
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
 

Meta Information:

Title: ssh-ecurity — Part 4: Look Ma', no passwords!
Date: 30-Jul-2009 05:30
Filed:
Size: 2371 words
Next:   » ssh-ecurity — Part 5:…
Prev:   « ssh-ecurity — Part 3:…

Frontpage

Search

Archives

Powered by…