Secured ssh login without password and without paraphrase?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Secured ssh login without password and without paraphrase?
Hello,
I would like to establish a ssh login without password and without paraphrase, which will be secured and that agent takes
care of the paraphase itself.
I found out on board that many users remove the paraphrase
here an example:
Code:
on the client (local):
cd
rm -rf .ssh
ssh-keygen -t rsa #press enter twice if given prompts <------- this is totally unsecured
scp -P portnumber ~/.ssh/id_rsa.pub username@server:~/.ssh/authorized_keys
It is done.
Here it goes, login without password and without paraphrase.
scp -P portnumber username@server
So all is done when typing on the local:
Code:
ssh-keygen -t rsa
#press enter twice if given prompts <------- this is totally unsecured
if you do that, i.e. typing twice enter to avoid paraphrase, then, you create a less secured login.
If you dont do that, you cannot login automatically without
the prompt of entering paraphrase.
If you would like to crontab a backup, then, shall you remove the paraphrase (i.e. being less secured)?
dpkg -l | grep ssh
ii libssh2-1 1.2.6-1 SSH2 client-side library
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSSH RSA and DSA keys
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted OpenSSH RSA and DSA keys
ii openssh-client 1:5.5p1-6+squeeze1 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.5p1-6+squeeze1 secure shell (SSH) server, for secure access from remote machines
ii ssh 1:5.5p1-6+squeeze1 secure shell client and server (metapackage)
ii sshfs 2.2-1 filesystem client based on SSH File Transfer Protocol
dpkg -l | grep ssh
ii libssh2-1 1.2.6-1 SSH2 client-side library
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSSH RSA and DSA keys
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted OpenSSH RSA and DSA keys
ii openssh-client 1:5.5p1-6+squeeze1 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.5p1-6+squeeze1 secure shell (SSH) server, for secure access from remote machines
ii ssh 1:5.5p1-6+squeeze1 secure shell client and server (metapackage)
ii sshfs 2.2-1 filesystem client based on SSH File Transfer Protocol
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109
Rep:
May a possible solution could be the ssh-agent: it ask for the key password only once, after that it grants the use of the (protected/encrypted) private key for the entire session.
It should also works for cron jobs.
(Those are Two single quotes.)
will generate a key without a password.
Secure the key and it's permissions and all will be well.
ssh keys without passwords are routinely used in automated processes such as cron+jobs.
but in thsi case, you say to have no paraphrase.
-N ''
Which adapted script would you recommend to type?
ssh agent sounds good since you have paraphrase.
Code:
on the client (local):
cd
rm -rf .ssh
ssh-keygen -t rsa #press enter twice if given prompts <------- this is totally unsecured
scp -P portnumber ~/.ssh/id_rsa.pub username@server:~/.ssh/authorized_keys
It is done.
Here it goes, login without password and without paraphrase.
scp -P portnumber username@server
I guess I'm not fully understanding your situation.
Are you trying to not use a passphrase for your ssh key?
Are you trying to bypass the password entry during key generation?
Are you trying to decide to use, or not use a passphrase for ssh, or scp?
ssh keys without passwords are "less secure" than those with passwords IF the key cannot be physically secured.
I guess it depends on who is using the key and their preference for a password/no password.
Automation say, in backup scripts or scp'ing to remote hosts would practically require no password on the key.
A pass-phrased key in automation sort of defeats the purpose of automation.
I don't believe I have ever used an intermediate program such as ssh-agent.
Sorry about that!
Last edited by Habitual; 09-29-2013 at 01:16 PM.
Reason: grammer corrected
I guess I'm not fully understanding your situation.
Are you trying to not use a passphrase for your ssh key?
Are you trying to bypass the password entry during key generation?
Are you trying to decide to use, or not use a passphrase for ssh, or scp?
ssh keys without passwords are "less secure" than those with passwords IF the key cannot be physically secured.
I guess it depends on who is using the key and their preference for a password/no password.
Automation say, in backup scripts or scp'ing to remote hosts would practically require no password on the key.
A pass-phrased key in automation sort of defeats the purpose of automation.
I don't believe I have ever used an intermediate program such as ssh-agent.
Sorry about that!
I would like to have a paraphrase and login without prompting for password+without prompting for paraphrase.
A secure way to do that would be to use an agent. Perhaps an easier way to combine that with a script would be to launch a separate agent just for use with that script. The reason for that would be so that you can set the location of the socket yourself so that your script knows where it is. When your script uses an identity to log in the variable SSH_AUTH_SOCK must point to the agent's socket.
Another secure option is to use the Authorized_keys file to force the key into a specific program with specific parameters. The full set of options is listed in the manual page for sshd(8) in the section "AUTHORIZED_KEYS FILE FORMAT" If you need to pass parameters, you can pass them as a command which will then be ignored but stored in the SSH_ORIGINAL_COMMAND environment variable available to your server-side script.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.