SSH - How to arrange to log in without typing a password
If you want to automate an unattended process (e.g. cron or batch jobs) with SSH, you may notice, that SSH or SCP asks for a password, even from a script.
$ scp -q rabbit:/etc/hosts .
zahn@rabbit's password:
In this article, we show how to manage exactly this situation in a suitable security context using SSH version 1 with the RhostsRSAAuthentication method.
RhostsRSAAuthentication
The RhostsRSAAuthentication method is the rhosts or hosts.equiv method combined with RSA based host authentication. It means that if the login would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or /etc/shosts.equiv, and if additionally the server can verify the client's host key (see /etc/ssh/ssh_known_hosts), only then login is permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.
Example
You want to secure copy (scp) the file /backup/all.gz from the host rabbit to the host opal from a script which is started as a batch job from cron.
If $HOME/.shosts exists in the user's home directory on the remote machine (rabbit) and contains a line containing the name of the client machine (opal) and the name of the user on that machine, the user is permitted to log in. This form of authentication alone is normally not allowed by the server because it is not secure.
On rabbit:
$ cd $HOME
$ ls -l .shosts
-r-------- 1 root root 7 Feb 4 10:48 .shosts
$ cat .shosts
opal root
If login would be permitted by $HOME/.shosts, and if additionally the server can verify the client's host key in /etc/ssh/ssh_known_hosts, only then login is permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing.
Simply log on to the remote machine, the public key will then automatically transferred to the local machine and inserted in $HOME/.ssh/known_hosts. Copy or append the public key the the file /etc/ssh/ssh_known_hosts.
On opal:
$ ssh rabbit
The authenticity of host 'rabbit' can't be established.
RSA key fingerprint is
b2:fc:62:5e:5f:06:ca:63:0a:8c:52:03:db:ad:be:52.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rabbit,192.168.138.21' (RSA)
to the list of known hosts.
$ cd $HOME/.ssh
$ cat known_hosts >> /etc/ssh/ssh_known_hosts
The most important step is to configure the secure shell daemon (sshd) on the remote machine. You find the sshd configuration file in /etc/ssh/sshd_config. The needed parameters are the followings:
Here is the complete file
# This is ssh server systemwide configuration file.
####### Port
#
# Specifies the port number that sshd listens on. The default is 22.
# Multiple options of this type are permitted.
#
Port 22
####### Protocol
#
# Specifies the protocol versions sshd should support. The possible
# values are 1 and 2. Multiple versions must be commaseparated.
# The default is 1.
#
Protocol 1,2
####### ListenAddress
#
# Specifies what local address sshd should listen on. The default
# is to listen to all local addresses. Multiple options of this
# type are permitted. Additionally, the Ports options must precede
# this option.
#
ListenAddress 0.0.0.0
####### HostKey (private host key)
#
# Specifies the file containing the private host keys (default
# /etc/ssh_host_key) used by SSH protocol versions 1 and 2. Note
# that sshd will refuse to use a file if it is group/world-accessible.
# It is possible to have multiple host key files. "rsa1"
# keys are used for version 1 and "dsa" or "rsa" are used for
# version 2 of the SSH protocol.
#
HostKey /etc/ssh/ssh_host_key
####### ServerKeyBits (SSH protocol version 1)
#
# Defines the number of bits in the server key. The minimum value
# is 512, and the default is 768.
#
# Each host has a private host key RSA key (normally 1024 bits) used to iden-
# tify the host. Additionally, when the daemon starts, it generates a
# server RSA key (normally 768 bits). This key is normally regenerated ev-
# ery hour if it has been used, and is never stored on disk.
#
# Whenever a client connects the daemon responds with its public host and
# server keys. The client compares the RSA host key against its own
# database to verify that it has not changed. The client then generates a
# 256 bit random number. It encrypts this random number using both the
# host key and the server key, and sends the encrypted number to the serv-
# er. Both sides then use this random number as a session key which is
# used to encrypt all further communications in the session. The rest of
# the session is encrypted using a conventional cipher, currently Blowfish
# or 3DES, with 3DES being used by default. The client selects the encryp-
# tion algorithm to use from those offered by the server.
#
ServerKeyBits 768
KeyRegenerationInterval 3600
####### LoginGraceTime
#
# The server disconnects after this time if the user has not successfully
# logged in. If the value is 0, there is no time limit.
# The default is 600 (seconds).
#
LoginGraceTime 600
####### PermitRootLogin
#
# Specifies whether the root can log in using ssh(1). The argument
# must be "yes", "without-password" or "no". The default is
# "yes". If this options is set to "without-password" only
# password authentication is disabled for root.
#
# Root login with RSA authentication when the command option has
# been specified will be allowed regardless of the value of this
# setting (which may be useful for taking remote backups even if
# root login is normally not allowed).
#
PermitRootLogin yes
####### IgnoreRhosts
#
# Specifies that ~/.rhosts and ~/.shosts files will not be used in
# authentication. /etc/hosts.equiv and /etc/shosts.equiv are still
# used. The default is "yes".
#
# No: Read ~/.rhosts and ~/.shosts files
# Yes: Don't read ~/.rhosts and ~/.shosts files
#
IgnoreRhosts no
####### IgnoreUserKnownHosts
#
# Specifies whether sshd should ignore the user's
# $HOME/.ssh/known_hosts during RhostsRSAAuthentication.
# The default is "no".
#
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#
IgnoreUserKnownHosts yes
####### StrictModes
#
# Specifies whether sshd should check file modes and ownership of
# the user's files and home directory before accepting login. This
# is normally desirable because novices sometimes accidentally
# leave their directory or files world-writable. The default is "yes".
#
StrictModes yes
####### X11Forwarding
#
# Specifies whether X11 forwarding is permitted. The default is
# "no". Note that disabling X11 forwarding does not improve security
# in any way, as users can always install their own forwarders.
#
X11Forwarding yes
####### X11DisplayOffset
#
# Specifies the first display number available for sshd's X11
# forwarding. This prevents sshd from interfering with real X11
# servers. The default is 10.
#
X11DisplayOffset 10
####### PrintMotd
#
# Specifies whether sshd should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.) The default is "yes".
#
PrintMotd no
####### KeepAlive
#
# Specifies whether the system should send keepalive messages to
# the other side. If they are sent, death of the connection or
# crash of one of the machines will be properly noticed. However,
# this means that connections will die if the route is down tem-
# porarily, and some people find it annoying. On the other hand,
# if keepalives are not sent, sessions may hang indefinitely on the
# server, leaving "ghost" users and consuming server resources.
#
# The default is "yes" (to send keepalives), and the server will
# notice if the network goes down or the client host reboots. This
# avoids infinitely hanging sessions.
#
# To disable keepalives, the value should be set to "no" in both
# the server and the client configuration files.
#
KeepAlive yes
####### SyslogFacility
#
# Gives the facility code that is used when logging messages from
# sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1
# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
#
SyslogFacility AUTH
####### LogLevel
#
# Gives the verbosity level that is used when logging messages from
# sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE
# and DEBUG. The default is INFO. Logging with level DEBUG violates
# the privacy of users and is not recommended.
#
LogLevel INFO
####### RhostsAuthentication
#
# Specifies whether authentication using rhosts or /etc/hosts.equiv
# files is sufficient. Normally, this method should not be permitted
# because it is insecure. RhostsRSAAuthentication should be
# used instead, because it performs RSA-based host authentication
# in addition to normal rhosts or /etc/hosts.equiv authentication.
# The default is "no".
#
RhostsAuthentication no
####### RhostsRSAAuthentication
#
# Specifies whether rhosts or /etc/hosts.equiv authentication to-
# gether with successful RSA host authentication is allowed. The
# default is "no".
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
RhostsRSAAuthentication yes
####### RSAAuthentication
#
# Specifies whether pure RSA authentication is allowed. The de-
# fault is "yes". Note that this option applies to protocol ver-
# sion 1 only.
#
RSAAuthentication no
####### PasswordAuthentication
#
# Specifies whether password authentication is allowed. The de-
# fault is "yes". Note that this option applies to both protocol
# versions 1 and 2. To disable tunneled clear text passwords,
# change to no here!
#
PasswordAuthentication yes
####### PermitEmptyPasswords
#
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings. The
# default is "no".
#
PermitEmptyPasswords no
####### CheckMail
#
# Specifies whether sshd should check for new mail for interactive
# logins. The default is "no".
#
CheckMail no
####### UseLogin
#
# Specifies whether login(1) is used for interactive login ses-
# sions. Note that login(1) is never used for remote command exe-
# cution. The default is "no".
#
UseLogin no
####### AllowUsers
#
# This keyword can be followed by a number of user names, separated
# by spaces. If specified, login is allowed only for users names
# that match one of the patterns. '*' and '?' can be used as wild-
# cards in the patterns. Only user names are valid; a numerical
# user ID isn't recognized. By default login is allowed regardless
# of the user name.
#
AllowUsers root scott smith
The final step is to configure the secure shell (ssh) on the local machine. You find the ssh configuration file in /etc/ssh/ssh_config. The needed parameters are the followings:
# This is ssh client systemwide configuration file. This file provides
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.
#
# Configuration data is parsed as follows:
#
# 1. command line options
# 2. user-specific file
# 3. system-wide file
#
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
####### Host
#
# Restricts the following declarations (up to the next Host key-
# word) to be only for those hosts that match one of the patterns
# given after the keyword. "*" and "?" can be used as wildcards in
# the patterns. A single "*" as a pattern can be used to provide
# global defaults for all hosts. The host is the hostname argument
# given on the command line (i.e., the name is not converted to a
# canonicalized host name before matching).
#
Host *
####### ForwardAgent
#
# Specifies whether the connection to the authentication agent
# (if any) will be forwarded to the remote machine. The argument
# must be "yes" or "no". The default is "yes".
#
ForwardAgent no
####### ForwardX11
#
# Specifies whether X11 connections will be automatically redirected
# over the secure channel and DISPLAY set. The argument must be
# "yes" or "no". The default is "no".
#
ForwardX11 yes
####### RhostsAuthentication
#
# Specifies whether to try rhosts based authentication. Note that
# this declaration only affects the client side and has no effect
# whatsoever on security. Disabling rhosts authentication may re-
# duce authentication time on slow connections when rhosts authen-
# tication is not used. Most servers do not permit RhostsAuthenti-
# cation because it is not secure (see RhostsRSAAuthentication).
# The argument to this keyword must be "yes" or "no".
#
RhostsAuthentication no
####### RhostsRSAAuthentication
#
# Specifies whether to try rhosts based authentication with RSA
# host authentication. This is the primary authentication method
# for most sites. The argument must be "yes" or "no".
#
RhostsRSAAuthentication yes
####### RSAAuthentication
#
# Specifies whether to try RSA authentication. The argument to
# this keyword must be "yes" or "no". RSA authentication will
# only be attempted if the identity file exists, or an authentica-
# tion agent is running. Note that this option applies to protocol
# version 1 only.
#
RSAAuthentication no
####### PasswordAuthentication
#
# Specifies whether to use password authentication. The argument
# to this keyword must be "yes" or "no". Note that this option
# applies to both protocol version 1 and 2.
#
PasswordAuthentication yes
####### FallBackToRsh
#
# Specifies that if connecting via ssh fails due to a connection
# refused error (there is no sshd listening on the remote host),
# rsh should automatically be used instead (after a suitable
# warning about the session being unencrypted). The argument must
# be "yes" or "no".
#
FallBackToRsh no
####### UseRsh
#
# Specifies that rlogin/rsh should be used for this host. It is
# possible that the host does not at all support the ssh protocol.
# This causes ssh to immediately execute rsh. All other options
# (except HostName) are ignored if this has been specified. The
# argument must be "yes" or "no".
#
UseRsh no
####### BatchMode
#
# If set to "yes", passphrase/password querying will be disabled.
# This option is useful in scripts and other batch jobs where you
# have no user to supply the password. The argument must be
# "yes" or "no".
#
BatchMode no
####### CheckHostIP
#
# If this flag is set to "yes", ssh will additionally check the
# host ip address in the known_hosts file. This allows ssh to de-
# tect if a host key changed due to DNS spoofing. If the option is
# set to "no", the check will not be executed.
#
CheckHostIP yes
####### StrictHostKeyChecking
#
# If this flag is set to "yes", ssh will never automatically add
# host keys to the $HOME/.ssh/known_hosts and
# $HOME/.ssh/known_hosts2 files, and refuses to connect to hosts
# whose host key has changed. This provides maximum protection
# against trojan horse attacks. However, it can be somewhat annoy-
# ing if you don"t have good /etc/ssh_known_hosts and
# /etc/ssh_known_hosts2 files installed and frequently connect to
# new hosts. This option forces the user to manually add all new
# hosts. If this flag is set to "no", ssh will automatically add
# new host keys to the user known hosts files. If this flag is set
# to "ask", new host keys will be added to the user known host
# files only after the user has confirmed that is what they really
# want to do, and ssh will refuse to connect to hosts whose host
# key has changed. The host keys of known hosts will be verified
# automatically in all cases. The argument must be "yes", "no"
# or "ask". The default is "ask".
#
StrictHostKeyChecking yes
####### IdentityFile
#
# Specifies the file from which the user"s RSA authentication iden-
# tity is read (default $HOME/.ssh/identity in the user"s home di-
# rectory). Additionally, any identities represented by the au-
# thentication agent will be used for authentication. The file
# name may use the tilde syntax to refer to a user"s home directo-
# ry. It is possible to have multiple identity files specified in
# configuration files; all these identities will be tried in se-
# quence.
#
IdentityFile ~/.ssh/identity
####### Port
#
# Specifies the port number to connect on the remote host.
# Default is 22.
#
Port 22
####### Protocol
#
# Specifies the protocol versions ssh should support in order of
# preference. The possible values are "1" and "2". Multiple
# versions must be comma separated. The default is "1,2". This
# means that ssh tries version 1 and falls back to version 2 if
# version 1 is not available.
#
Protocol 1,2
####### Cipher
#
# Specifies the cipher to use for encrypting the session in proto-
# col version 1. Currently, "blowfish" and "3des" are support-
# ed. The default is "3des".
#
Cipher 3des
####### EscapeChar
#
# Sets the escape character (default: "~"). The escape character
# can also be set on the command line. The argument should be a
# single character, "^" followed by a letter, or "none" to dis-
# able the escape character entirely (making the connection trans-
# parent for binary data).
#
EscapeChar none
Now, you should be able to connect to the remote host without a password. First try the debugging output using the -v option.
opal> ssh -v rabbit "cat /etc/ssh/ssh_config" > ssh_config
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to rabbit [193.247.121.196] port 22.
debug: Seeding random number generator
debug: Allocated local port 882.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1
debug: Local version string SSH-1.5-OpenSSH_2.1.1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'rabbit' is known and matches the RSA host key.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug: Remote: Accepted by .shosts.
debug: Received RSA challenge for host key from server.
debug: Sending response to host key RSA challenge.
debug: Remote: Rhosts with RSA host authentication accepted.
debug: Rhosts or /etc/hosts.equiv with RSA host auth accepted by server.
debug: Requesting X11 forwarding with authentication spoofing.
debug: Sending command: cat /etc/ssh/ssh_config
debug: Entering interactive session.
debug: Transferred: stdin 0, stdout 6425, stderr 0 bytes in 0.3 seconds
debug: Bytes per second: stdin 0.0, stdout 19644.7, stderr 0.0
debug: Exit status 0
opal> scp -v rabbit:/etc/hosts .
Executing: host rabbit, user (unspecified), command scp -v -f /etc/hosts
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to rabbit [193.247.121.196] port 22.
debug: Seeding random number generator
debug: Allocated local port 700.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1
debug: Local version string SSH-1.5-OpenSSH_2.1.1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'rabbit' is known and matches the RSA host key.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug: Remote: Accepted by .shosts.
debug: Received RSA challenge for host key from server.
debug: Sending response to host key RSA challenge.
debug: Remote: Rhosts with RSA host authentication accepted.
debug: Rhosts or /etc/hosts.equiv with RSA host auth accepted by server.
debug: Sending command: scp -v -f /etc/hosts
debug: Entering interactive session.
Sending file modes: C0644 5578 hosts
debug: Transferred: stdin 3, stdout 5633, stderr 0 bytes in 0.1 seconds
debug: Bytes per second: stdin 53.2, stdout 99934.3, stderr 0.0
debug: Exit status 0
原文:
上面的文档介绍了一种不需要输入口令就可以登录sshd服务器的方法。因为对ssh协议不是很熟悉,所以不知道这种方法是否可用。也没有具体做过实验。先转过来吧。
我比较常用的方法是
http://www.mangbar.com/document/view/bd18e8290d351416010d357315ba0053
另外也可以用expect来实现
Pexpect(Pure python expect)的主页:
I don't understand what you're trying to do. The id_rsa file is only supposed to contain one key; you can put other keys in different files. What are you trying to achieve by putting multiple keys in one file?