Thursday, October 30, 2014

Exchanging RSA Keys between two servers

                                (password less authentication)                                                                             


At times, You might need to be able to SSH into a remote machine for scripted maintenance purposes and not get challenged with a password. To achieve this, A key-based authentication mechanism between the two remote servers has to be established. However, It can only be established on a per system / user basis.

How does it work ?

SSH (Secure Shell) allows users to login via authentication with public key cryptography using key algorithms. Public key that would created as you progress can be made widely available, This will encrypt a message which can be decrypted only by the private key. 

The Secure server on the remote system looks for the public key to be in directory ~/.ssh. It checks for the key in file authorized_keys. The client on your local system looks in local directory ~/.ssh for the private key in file id_rsa. In some cases, The private key will be protected by a password(passphrase) and the authentication agent(ssh-agent) uses the passphrase to unlock the key.

Solaris commands to generate the SSH keys : 


Considering the scenario, Where you want to set up a password less authentication between two servers namely primary server and secondary server.

Following steps will allow you to ssh from primary server to the secondary server without a password.

Step 1:


 Log into your primary machine via SSH with the user id, Which you will further use for password less authentication.

Step 2:


From the Command prompt type : 

ssh-keygen -t rsa

Step 3:


Accept the default location for the key file.When prompted about the passphrase you can choose to leave it empty by just hitting enter and enter again to confirm. (for more info see the note mentioned below).A public key for your userid is now generated in your user’s home directory.

example: /home/<user Id>/.ssh/id_rsa.pub.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/<userid>/.ssh/id_rsa): --Default file would be id_rsa--
Enter passphrase (empty for no passphrase): --You can leave this empty--
Enter same passphrase again:
Your identification has been saved in /home/<userid>/.ssh/id_rsa.
Your public key has been saved in /home/<userid>/.ssh/id_rsa.

Note:  An empty passphrase makes life easy. By leaving the passphrase empty you are relying on the public/private key match that takes places when connecting using ssh keys.  This process is fairly secure in that when connecting to a client machine the client machine would have to have your public key in it’s “authorized_keys” before it would allow you in.  

Alternately, you can choose to set a passphrase and use ssh-agent and ssh-add to set the passphrase for your active shell when you log in one time.  This adds an extra level of security by forcing the user to type in a passphrase one time. 

Step 4:


Log in to the secondary machine via SSH using the ID that you have used in the primary server to create the id_rsa.pub file. From the command prompt type (assuming you are in your home directory): 


bash$: mkdir .ssh
bash$: cd .ssh
bash$: vi authorized_keys

Step 5:


Copy the primary server's public key into the authorized_keys file of the secondary server. This file will be found in /home/<user id>/.ssh/id_rsa.pub from the primary server. Copy the contents of the id_rsa.pub file into authorized_keys and save it. If the contents of the public ssh key from the primary server can not be copied to the secondary server, the file can be scp'ed from the primary server to the secondary server using the following command.

bash$: cd .ssh
bash$: scp id_rsa.pub <userid>@<secondaryserver>:/home/<user id>/.ssh/authorized_keys

Using chmod change the file permissions to 600.

[Bash]$ chmod 600 .ssh/authorized_keys

Note: the .ssh dir should be set to 600 as well

Step 6:


Log into the secondary machine via SSH from the primary server as the <user id> that was used to generate keys.

From the command prompt type (assuming you are in your home directory):

[bash]$ ssh <user id>@<Secondary hostname>

Note: SSH should warn you about accepting the key then drop you off to a command line prompt on the target system ssh restart

Same steps can be repeated to login from secondary server to the primary server.


 

0 comments:

Post a Comment