Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tlug] Making my LAN a passwordless zone
- Date: Fri, 10 Jul 2009 01:51:43 +0900
- From: "Stephen J. Turnbull" <stephen@example.com>
- Subject: [tlug] Making my LAN a passwordless zone
- References: <4A55DA40.2060202@example.com>
Dave M G writes:
> Sometimes I run programs via ssh from one computer to another.
> Thing is, when I do that, I have to start it from the command line
> and enter a password, like so:
>
> ssh -X media@example.com amarokapp
>
> I'd really rather just set up icon shortcuts and not have to worry about
> passwords.
If once per session is acceptable, then the following procedure is
secure:
(1) Install OpenSSH. (Done, I assume, but there are other
implementations available. The following is only known to be
correct spelling for OpenSSH.)
(2) Create a public key, private key pair with "ssh-keygen". IIRC you
can just invoke the command, but you may need to specify the type
and location. The four-part harmony version is
$ mkdir ~/.ssh
$ ssh-keygen -t rsa ~/.ssh/id_rsa
This will create the private and public keys in ~/.ssh/id_rsa and
~/.ssh/id_rsa.pub, and these will automatically be read by ssh on
startup. However, you can only use them by entering the
passphrase, and if you only use ssh, this must be done every time.
"-t rsa" is preferred because RSA1 is known to be weak, and DSA
had a configuration problem on Debian making it trivially weak,
and many sites (such as Debian's own development hosts) prohibit
use of DSA keys. If you're *sure* you'll never use it except on
hosts you control, then which v2 key type you use doesn't matter
so much.
Choose a nice long passphrase, with either a couple of nonsense
strings that don't even look like words or several different
languages mixed together.
(3) Copy the public key to ~/.ssh/id_rsa.pub on all hosts you wish to
log in to. Copy the private key to ~/.ssh/id_rsa on all hosts
whose keyboard you will actually touch. (You could have separate
keys for each host, but this would only make sense if you give
them separate passwords.)
(4) Run the reconfiguration utility for OpenSSH and make sure that the
SSH agent is enabled.
(5) At the start of each session, run "ssh-add", and type in your
pass phrase. Use "ssh -A ..." to login in to remote hosts from
which you might use ssh, or enable "agent forwarding" in the
~/.ssh/config file on the *origin* host.
If you really want no passwords at all, not even once a session (which
could last many days if you sleep instead of shut down), then you need
to enable "RSA-based host authentication" in /etc/sshd_config (or
something like that, man sshd will probably tell you where the
sshd_config file lives) on all hosts you will log in to, and also on
the hosts you use SSH from. You will need to set up a host key, I
believe. You use ssh-keygen for that, too.
You can also have personal keys with no pass phrase. I don't
recommend this.
- References:
- [tlug] Making my LAN a passwordless zone
- From: Dave M G
- [tlug] Making my LAN a passwordless zone
- Prev by Date: [tlug] How to use eMobile Huawei USB dongles (with Asashi net)
- Next by Date: Re: [tlug] Making my LAN a passwordless zone
- Previous by thread: Re: [tlug] Making my LAN a passwordless zone
- Next by thread: Re: [tlug] Making my LAN a passwordless zone
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |