In our previous articles, we discussed how to setup ssh key based authentication to perform ssh and scp without password under the following three scenarios:
In this article, I’ll explain how to perform ssh and scp from SSH2 (local-host) to OpenSSH (remote-host) with no password.
1. Identify local-host and remote-host SSH version
In this example, local-host is running SSH2 and remote-host is running OpenSSH.
[local-host]$ ssh -V ssh: SSH Secure Shell 188.8.131.52 (non-commercial version) on i686-pc-linux-gnu [remote-host]$ ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
2. Generate SSH2 authentication key pair on the local-host using ssh-keygen2
On SSH2, ssh-keygen will be a soft-link to the ssh-keygen2 as shown below.
[local-host]$ ls -l /usr/local/bin/ssh-keygen lrwxrwxrwx 1 root root 11 Jul 31 2006 /usr/local/bin/ssh-keygen -> ssh-keygen2 [local-host]$ ssh-keygen Generating 2048-bit dsa key pair 7 o.oOo..oOo.o Key generated. 2048-bit dsa, jsmith@local-host, Sun Oct 19 2008 14:49:42 -0700 Passphrase : [Enter the password here] Again : Private key saved to /home/jsmith/.ssh2/id_dsa_2048_a Public key saved to /home/jsmith/.ssh2/id_dsa_2048_a.pub
The public key and private key are stored in .ssh2 folder under your home directory. In this example, it is under /home/jsmith/.ssh2.
You should not share the private key with anybody.
By default ssh-keygen2 generates DSA (Digital Signature Algorithm) key pair. You can also generate RSA key pair as shown below.
[local-host]$ ssh-keygen -t rsa
3. Copy SSH2 public key from local-host to remote-host that is running OpenSSH
Copy local-host:/home/jsmith/.ssh2/id_dsa_2048_a.pub file to remote-host:/home/jsmith/.ssh/id_dsa_1024_a.pub. Perform a vi /home/jsmith/.ssh/id_dsa_1024_b.pub on the remote-host and copy the content of the public key from the local-host.
[remote-host]$ vi /home/jsmith/.ssh/id_dsa_1024_a.pub ---- BEGIN SSH2 PUBLIC KEY ---- Subject: jsmith Comment: "2048-bit dsa, jsmith@local-host Sun Oct 19 2008 14:49:42 -070\0" 7ZTVd7H63VyVqBIqfmEBALVa6VKtALZkydlOiPasikEQfujH07tjW+OffaRufFDG0VQESj 5iGSvMtmBBj8wQxGlvJ/dayVqBvvHzMao8bwGC+HFUtH1un7uyIEwOqU1fNzEpghC97mIx tIxJA7ZTVd7H63VIqmzlLbp/ZCd6bcJLvZEepMz96nlNB4NJ5UYIfdgXNhf/TrJD8COWQs t6jsP6RG/WrpHi5iGSvMtmBBj8wQGHddexkRnf/o5YMFJZRo4Iwc7+bgYrIyywBZnfLL7T RTk9TBfWzgJHy/y1tTtCMvVooWvFZbG5AiV3de63MxBaD0o68SASyXZzVM+MabXhjcdXFY 2vjq2vJxOzunEAAAAVAOTeOzDCnj3K5iGSvMtmBBj8wQGHAAABAA38sGpHEfSxLx5MjQci dko1pKuV1W9rOK3y19A2J2N6rSdWYb7Zyzw8Gr7kTMWX1TP5WhRGCUhNRYnjI+4wgZIZdC lfGdp8MGI3HBg9CAr702BOzRTMnW0aqsGjrbhcwhWaDgRymhBh++nGAhHxeWn4ApJ8F6kT 8HaAm3dFYXpHCaZ/xuKPXr4DFugGl8MRDU8TwioNE9kRi0Ko/kB5LTHuGhMPHGshMJeVGi PQTrt9NAzgYyJeT9RB9VZadgElMvQ9S0+fo6ipOA== ---- END SSH2 PUBLIC KEY ----
4. On local-host, create the ~/.ssh2/identification file
Create the following file on the local-host.
$ vim ~/.ssh2/identification IdKey id_dsa_2048_a
5. On remote-host, convert SSH2 public key to OpenSSH public key
This should be executed on the remote-host that is running OpenSSH. Only OpenSSH can convert keys back and forth between OpenSSH and SSH2 format.
[remote-host]$ ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > \ ~/.ssh/id_dsa_1024_a_openssh.pub
Copy the converted OpenSSH public key from ~/.ssh/id_dsa_1024_a_openssh.pub file to the authorized_keys file as shown below.
[remote-host]$ vi ~/.ssh/authorized_keys ssh-dss 5iGSvMtmBBj8wQdegAEBALVa6VKtALZkydlOiPasikEQfujH07tjW+OffaRufFD G0VQESjq+YlVTWcXxStz0xGlvJ/dayVqBvvHzMao8bwGC+HFUtH1un7uyIEwOqU1fNzEpgh C97s143S8zBcTAGtdegte3IqmlLbp/ZCd6bcJLvZEepMz96nlNB4NJ5UYIfdgXNhf/TrJD8 COWQst6jsP6RG/WrpHiI4QVDM6tZVZ4CnGjm1QPkRnf/o5YMFJZRo4Iwc7+bgYrIyywBZnf LL7TRTk9TBfWzgJHy/y1tTtCMvVooWvFZbG5AiV3de63MxBaD0o68SASyXZzVM+MabXhjcd XFY2vjq2vJxOzunEAAAAVAOTeOzDCnj3K5iGSvMtmBBj8wQGHAAABAA38sGpHEfSxLx5MjQ dFYXpHCaZ/xuKPXr4DFugGl8MRDU8TwioNE9kRi0Ko/kB5LTHuGhMPHGshMJeVGiPQTrt9N AzgYyJeT9RB9VZadgElMvQ9S0+fo6ipOA==
6. Setup proper permission on remote-host to .ssh directory
On the remote-host that is running openSSH, make sure to setup the following permission. Without this, you will have all kinds of weird problems with ssh.
$ chmod 755 ~ $ chmod 755 ~/.ssh $ chmod 644 ~/.ssh/authorized_keys
7. Login from the local-host to remote-host using the SSH key authentication
Perform ssh from local-host (SSH2) to remote-host (OpenSSH) as shown below to verify whether the key based authentication works properly.
[local-host]$ [You are on local-host here] [local-host]$ ssh -l jsmith remote-host Host key not found from database. Key fingerprint: bitaz-navun-gogus-mptop-ljilk-qwlem-ftrtm-llmak-topok-zuiof-bnmix You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to /home/jsmith/.ssh2/hostkeys/key_22_remote-host.pub host key for remote-host, accepted by jsmith Sun Oct 19 2008 15:06:42 -0700 Passphrase for key "/home/jsmith/.ssh2/id_dsa_2048_a" with comment "2048-bit dsa, jsmith@local-host, Sun Oct 19 2008 14:49:42 -0700":[Enter password] Last login: Sun Oct 19 14:01:48 2008 from 192.168.1.10 [remote-host]$ [You are on remote-host here]
Note: If you get the following error while performing the ssh or scp from local-host to remote-host, please refer to How to resolve Algorithm negotiation failed issue on SSH, to fix this issue.
[local-host]$ ssh -l jsmith remote-host warning: Authentication failed. Disconnected; key exchange or algorithm negotiation failed (Algorithm negotiation failed.)
There are two ways to perform ssh and scp without entering the password:
- No passphrase: While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
- Use passphrase and SSH Agent: If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
8. Start the SSH Agent on local-host
The SSH Agent will be running in the background to hold the private keys and perform ssh and scp without having to enter the passphrase several times.
[local-host]$ ssh-agent $SHELL
9. Load the private key to the SSH agent on the local-host
[local-host]$ ssh-add Adding identity: /home/jsmith/.ssh2/id_dsa_2048_a.pub Need passphrase for /home/jsmith/.ssh2/id_dsa_2048_a (2048-bit dsa, jsmith@local-host, Sun Oct 19 2008 14:49:42 -0700). Enter passphrase:[Enter your passphrase here]
10. Perform SSH or SCP from local-host to remote-home without entering the password
[local-host]$ [You are on local-host here] [local-host]$ ssh -l jsmith remote-host Last login: Sun Oct 19 14:20:48 2008 from 192.168.1.10 [remote-host]$ [You are on remote-host here]
If you liked this article, please share it on delicious and Stumble it.
Get the Linux Sysadmin Course Now!