Using SSH and SCP Without a Password





Using SSH and SCP Without a Password

From time to time you may want to write scripts that will allow you to copy files to a server, or login, without being prompted for passwords. This can make them simpler to write and also prevents you from having to embed the password in your code.

SCP has a feature that allows you to do this. You no longer have to worry about prying eyes seeing your passwords nor worry about your script breaking when someone changes the password. You can configure SSH to do this by generating and installing data transfer encryption keys that are tied to the IP addresses of the two servers. The servers then use these pre-installed keys to authenticate one another for each file transfer. As you may expect, this feature doesn't work well with computers with IP addresses that periodically change, such as those obtained via DHCP.

There are some security risks though. The feature is automatically applied to SSH as well. Someone could use your account to log into the target server by entering the username alone. It is therefore best to implement this using unprivileged accounts on both the source and target servers.

The example that follows enables this feature in one direction (from server Bigboy to server Smallfry) and only uses the unprivileged account called filecopy.

Configuration: Client Side

Here are the steps you need to do on the computer that acts as the SSH client:

1.
Generate your SSH encryption key pair for the filecopy account. Press the Enter key each time you are prompted for a password to be associated with the keys. (Do not enter a password.)

[[email protected] filecopy]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key
(/filecopy/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/filecopy/.ssh/id_dsa.
Your public key has been saved in
/filecopy/.ssh/id_dsa.pub.
The key fingerprint is:
1e:73:59:96:25:93:3f:8b:50:39:81:9e:e3:4a:a8:aa
[email protected]
[[email protected] filecopy]#

2.
These keyfiles are stored in the .ssh subdirectory of your home directory. View the contents of that directory. The file named id_dsa is your private key, and id_dsa.pub is the public key that you will be sharing with your target server. Versions other than Red Hat/Fedora may use different filenames, use the SSH man pages to verify this.

[[email protected] filecopy]# cd ~/.ssh
[[email protected] filecopy]# ls
id_dsa  id_dsa.pub  known_hosts
[[email protected] .ssh]#

3.
Copy only the public key to the home directory of the account to which you will be sending the file.

[[email protected] .ssh]# scp id_dsa.pub \
[email protected]:public-key.tmp

Now, on to the server side of the operation.

Configuration: Server Side

Here are the steps you need to do on the computer that will act as the SSH server.

1.
Log into Smallfry as user filecopy. Create an .ssh subdirectory in your home directory and then go to it with cd.

[[email protected] filecopy]# ls
public-key.tmp
[[email protected] filecopy]# mkdir .ssh
[[email protected] filecopy]# chmod 700 .ssh
[[email protected] filecopy]# cd .ssh

2.
Append the public-key.tmp file to the end of the authorized_keys file using the >> append redirector with the cat command. The authorized_keys file contains a listing of all the public keys from machines that are allowed to connect to your Smallfry account without a password. Versions other than Red Hat/Fedora may use different filenames, use the SSH man pages to verify this.

[[email protected] .ssh]# cat ~/public-key.tmp >>
authorized_keys
[[email protected] .ssh]# rm ~/public-key.tmp

From now on you can use ssh and scp as user filecopy from server Bigboy to Smallfry without being prompted for a password.


     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows