Passwordless authentication

Note: Passwordless authentication has been disabled on the pamd servers. However, once inside our network you can setup passwordless ssh to other hosts normally.

Below you'll find the "barebones" steps needed to connect to a remote machine without having to enter your password. This is NOT a comprehensive explanation of how ssh or passwordless authentication works, rather it is simply some notes that I've kept to get ssh to work for my purposes. You should also know that setting up passwordless authentication for your account and machine will expose you to at least one security vulnerability. For example, if someone logged into your account on your machine then they can access any other machine that has been configured to accept passwordless authentication. That said, here's how to do it.

There are two versions of ssh and each version has a slightly different way of authenticating. I'll break things down into multiple parts to cover all of the ways you could connect to the different clients. To find out what version off ssh you are using type:

ssh -V

You'll either get something that has the string OpenSSH in it or something like this, SSH Secure Shell 3.1.0 non-commercial version. I'll refer to the former as OpenSSH and to the later as ssh.com

OpenSSH to OpenSSH

Most SCS systems are configured to use OpenSSH, which will make your life considerably more simple. The most notable exception to this is the IBM SP machines. The IBMs use the ssh.com version of ssh. It is still possible to connect to machines using differenct implementations of SSH, but it adds an extra layer of work that I will talk about later. In this section I'll discuss how to setup passwordless authentication between a host and a server running openSSH.

First, you need to create a public key using the following command:

ssh-keygen -t dsa

You'll be prompted for a passphrase and you might be prompted to name the identity files. Leave them blank and hit return.

Generating public/private dsa key pair.
Enter file in which to save the key (~/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
af:02:20:6e:05:96:84:5a:cc:2c:0a:1e:db:bb:1c:8b

In this step, two files were generated; one is the local identity file (id_dsa) and the other is the public key that will go into a specific file on the remote host. If the remote host mounts your SC home directory then this step is simple. Change directories to thehidden ssh configuration directory:

 cd ~/.ssh 

Copy the contents of id_dsa.pub into the authorized_keys2 file.

 cat id_dsa.pub >> authorized_keys2

Notice that I've used the append redirect (>>) because you can have multiple host identity keys in the same authorized_keys2 file. The important thing here is that each key must occupy its own line. If you don't yet have an authorized_keys2 file then you can do something like this:

 cat id_dsa.pub > authorized_keys2 

That's it. You should now be able to logon to a remote host that is mounting your SCS home directory without having to type in your password. If you are attempting to connect to a remote server that doesn't mount the the CSIT user file system then you will need to copy the public key to the sever and paste or redirect the file into the authorized_keys2 file. For example:

scp ./id_dsa.pub faroffserver.bingo.org:.ssh/.
ssh remoteHost.bingo.org
remoteHost> cd .ssh
remoteHost> cat id_dsa.pub >> authorized_keys2

note! if the file doesn't exist you'll need to do this:

remoteHost> cat id_dsa.pub > authorized_keys2

OpenSSH to ssh.com

Now you want to connect to a remote server using the ssh.com implementation of ssh from a host that's using OpenSSH. This would be the case if you wanted to connect to one of SCS's IBM machines from most of the other SCS machines. Start by generating an ssh.com (SECSH) formatted public key from the OpenSSH public key already in your .ssh directory and put the new key in the right place. Here's what you'll do:

cd ~/.ssh
ssh-keygen -e -f id_dsa.pub > id_dsa_secsh.pub

SSH.com stores it's configuration files in a hidden directory called .ssh2. If you are trying to connect to a remote machine that mounts the SCS user file system then you'll need to create the .ssh2 directory if doesn't already exist.

mkdir ~/.ssh2
cd ~/.ssh2

Next you will need to copy the new file to the .ssh2 directory and configure the authorization file so that it knows where to look to find the key.

cp ~/.ssh/id_dsa_secsh.pub ~/.ssh2/.
echo Key id_dsa_secsh.pub >> authorization

Again, if the authorization file doesn't exist then you'll need to do:

 echo Key id_dsa_secsh.pub > authorization

That's it. If the remote server to which you are trying to connect does not mount the DSC file system then you will copy the key file to the remote machine and then logon to the machine and make the changes described above.

SSH.com to OpenSSH

Much of what is needed in the section is covered more verbosely above so I'm going to stick to the commands needed to configure a local host running ssh.com (local) to connect to a remote host running OpenSSH (remote).

local> ssh-keygen -t dsa
local> echo IdKey id_dsa_1024_a > identification
local> scp id_dsa_1024_a.pub remote.fsu.edu:.ssh/.
remote> cd .ssh
remote> ssh-keygen -f id_dsa_1024_a.pub -i > newkey.pub
remote> cat newkey.pub >> authorized_keys2

That's it.