LINUX - SSH Passwordless login and running command - using key authentication

PASSWORDLESS LOGIN 
##################

This is not a lesson on public and private keys, I hope you know what those are. Also DSA vs RSA not covered here. But if you have a set of DSA or RSA keys then you dont need to do the ssh_keygen command - keep that in mind.

This is my way of doing it, because I memorized the commands and they feel good to do.

ssh-copy-id doesnt work with ports, at least the man page doesnt say it does. 
So here are my commands for making it happen

Notice the P is capital on scp, and lowercase p for ssh. Also technically you can omit the -P 22 and -p 22 if your ssh server is reached with port 22.
Dont get me wrong my ssh server listens on 22, but I portforward port 54321 from my router to port 22 on my server, so from the outside world I have to use -P 54321 and -p 54321.

All of this is done from the CLIENT machine. The machine you log in with.

Skip the ssh-keygen step if you already have the ~/.ssh/id_rsa.pub or id_dsa.pub file there

Note this needs to be done per user (per server user. and per client user technically)
Each client has their own keys.

So for example if you you have 2 Users Bob and Sally on Client machine and Fred and George on server machine and you wanted completely passwordless environment for all of them with ssh, it would be done like this:
First you do the commands with Bob to Fred and George, and repeat with Sally to Fred and George. Think of a mesh, everyones handshaking with eachother is another way to think about it.

However I only use 1 user so I just do this once. 

GENERIC EXAMPLE TO ALLOW SSH TO ROOT USER ON SERVER
====================================================

Note this works to ROOT user, from ANY USER (as we dont have to specify the client user, this would be the same commands for example for Bob and Sally from the above example)
The server user changes.

ssh-keygen
scp -P 22 ~/.ssh/id_rsa.pub root@www.server.com:~/.ssh/puta
ssh -p 22 root@www.server.com "cat ~/.ssh/puta >> ~/.ssh/authorized_keys"
ssh -p 22 root@www.server.com "rm ~/.ssh/puta"

I know technically I could of collapsesome of the commands together of well. Ill include shorter version below

Example
========

Lets pretend that the above example is real and that the server is reached with port 54321
Note only run ssh-keygen ONCE per client user. The command generates the private and public key, and we are giving out our public key to the server. We never give out the private key which is just id_rsa without the .pub extension.

First on client log in as Bob:

ssh-keygen

scp -P 22 ~/.ssh/id_rsa.pub george@www.server.com:~/.ssh/puta
ssh -p 22 george@www.server.com "cat ~/.ssh/puta >> ~/.ssh/authorized_keys"
ssh -p 22 george@www.server.com "rm ~/.ssh/puta"

scp -P 22 ~/.ssh/id_rsa.pub fred@www.server.com:~/.ssh/puta
ssh -p 22 fred@www.server.com "cat ~/.ssh/puta >> ~/.ssh/authorized_keys"
ssh -p 22 fred@www.server.com "rm ~/.ssh/puta"

Then on client log in as Sally:

ssh-keygen

scp -P 22 ~/.ssh/id_rsa.pub george@www.server.com:~/.ssh/puta
ssh -p 22 george@www.server.com "cat ~/.ssh/puta >> ~/.ssh/authorized_keys"
ssh -p 22 george@www.server.com "rm ~/.ssh/puta"

scp -P 22 ~/.ssh/id_rsa.pub fred@www.server.com:~/.ssh/puta
ssh -p 22 fred@www.server.com "cat ~/.ssh/puta >> ~/.ssh/authorized_keys"
ssh -p 22 fred@www.server.com "rm ~/.ssh/puta"



FINAL TIP
##########

If scp is not present ssh can be used with cat to get to transfer the file like so:

So this:
scp -P 22 ~/.ssh/id_rsa.pub root@www.server.com:~/.ssh/puta

Would turn to this:
cat ~/.ssh/id_rsa.pub | ssh -p 22 root@www.server.com "cat - > ~/.ssh/puta"

So the total would look like this:
ssh-keygen
cat ~/.ssh/id_rsa.pub | ssh -p 22 root@www.server.com "cat - > ~/.ssh/puta"
ssh -p 22 root@www.server.com "cat ~/.ssh/puta >> ~/.ssh/authorized_keys"
ssh -p 22 root@www.server.com "rm ~/.ssh/puta"

Also it is possible to combine all of these into one ssh monster command:
ssh-keygen
cat ~/.ssh/id_rsa.pub | ssh -p 22 root@www.server.com "cat - > ~/.ssh/puta; cat ~/.ssh/puta >> ~/.ssh/authorized_keys; rm ~/.ssh/puta"

Or My favorite:
===============
ssh-keygen
cat ~/.ssh/id_rsa.pub | ssh -p 22 root@www.server.com "cat - >> ~/.ssh/authorized_keys"

End result:
===========

If you did the ssh-keygen command, only in the case that you didnt have any keys in .ssh folder (the id_rsa or id_dsa and id_rsa.pub or id_rsa.pub, if you have either rsa or dsa set then you dont need to run that keygen command). anyways if you did that ssh-keygen command now you have the dsa or rsa key. Most likely RSA. RSA is my favorite and its the default for sshv2. 

After doing the copy commands which are either involving one scp command and a couple ssh commands, or just one ssh command with some cat pipes.

Anyways now you should be able to log in to anything without password and run commands on other system without password like:

ssh -p 22 root@www.server.com "ls -lisah /etc"
The above command would usually trigger a password prompt but not anymore

KEEP IN MIND FOR THIS TO WORK
###############################

For all of this to work, on the server the default settings have to be in place which are much longer then this, but I grab the ones that are related to this:
This is exactly how it appeared on my server, the Authorized Keys file was hashed out keep that in mind, so it was commented out, like it could of been not there and everything would of been the same.

PermitRootLogin yes

RSAAuthentication yes
PubkeyAuthentication yes

#AuthorizedKeysFile     %h/.ssh/authorized_keys

Lets explain all thaT:

PermitRootLogin yes
So to all to log in as root at all on ssh can be unsafe and unsecure, by default its yes on most systems, so if this was no, all of our root user commands would of had to be another user.

The next two allow for public key authentication - using these key files:
RSAAuthentication yes
PubkeyAuthentication yes

The final one is where the authorized keys file is at: By default it uses the values "AuthorizedKeysFile     %h/.ssh/authorized_keys" which means the home folder of every user has a .ssh folder with authorized_keys and actually a few other files. So since the system uses that by default there is no use to uncomment it out. Its typical linux config behaviour - for the defaults, when your trying to show what they are just show em as if your putting them into the config but hash em out. Hard to decipher that from if its a lost attempt or something, but if its a fresh OS install you can pretty much 99% assure yourself they are trying to tell you what the default is.
# AuthorizedKeysFile     %h/.ssh/authorized_keys
Comments