The alternative to password is authentication with public/private key pair. This prevents some security holes like sending the password over the net or brute force attacks.
First of all generate a pair of key in the client:
ssh-keygen -t rsayou will be prompted for files where store the keys (default is ~/.ssh/id_rsa for private key and ~/.ssh/id_rsa.pub for public key) and for a pass-phrase to protect the private key (you will be prompted for every time you try to log to a remote host with public key authentication).
Next, upload the public key in the remote host, from the client host launch
ssh-copy-id remote-user@remote_hostThis command installs the public key in the ~/.ssh/authorized_keys file of the remote-user on the remote_host. Now the client host can log in on remote_host as remote-user without typing the password, the authentication is done automatically under the hood.
Verify the correct execution of the command logging in to the remote host:
ssh remote-user@remote_hostno password should be asked.
The public key of the client can be upload to every user/host where you want to be authenticated without password.
The last step is to disable password authentication on remote_host. This is done editing /etc/ssh/sshd_config (as root user); the following lines must be present
PasswordAuthentication no RSAAuthentication yes PubkeyAuthentication yesThen reload the ssh configuration
/etc/init.d/ssh reloadVerify that password authentication is disabled trying to log in from another client which has not setup public key authentication. The user should be refused, on my machine the message is:
Permission denied (publickey)
Nessun commento:
Posta un commento