Setting up password-less SSH and SCP


In this post, I will explore how to perform a secure copy, the Linux scp command.

To this end, I will first detail how to setup password-less authentication with OpenSSH.

Setting up openssh on the guest and the host

What I want to achieve is to be able to ssh the remote host from my guest computer with the following

$ ssh username@hostname

Let’s consider that I have both the host and the guest running ubuntu. I have to install the openssh-client package on the guest with the following command:

$ sudo apt-get install openssh-client

For testing this how-to, I have set up a fresh virtualized Ubuntu install. When I attempt to connect to the host for the first time, I get the following error for example:

$ ssh stephan@10.211.55.10
ssh: connect to host 10.211.55.10 port 22: Connection refused

I have to install openssh-server on the host with the following command:

$ sudo apt-get install openssh-server    

Now, I can open an SSH connection between my guest and my host. As this is the first time I connect to the host, I have to accept that the host be added to the list of known hosts recognized by opens. The list is available in

~/.ssh/known_hosts

For example:

~ $ ssh username@10.211.55.10
The authenticity of host '10.211.55.10 (10.211.55.10)' can't be established.
RSA key fingerprint is 9c:f5:b7:93:7a:eb:d8:fe:e5:38:a8:52:e8:06:9b:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.211.55.10' (RSA) to the list of known hosts.
username@10.211.55.10's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

156 packages can be updated.
28 updates are security updates.

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

username@host:~$ 

Now that openssh is configured on the host, we can set up password-less authentication.

Setting up password-less authentication with OpenSSH

Password-less authentication with OpenSSH works as follows. In order to secure the communication between the guest and the host without the need to provide a password, they will use the private key and public key of the client along with a username known on the server. The server will add the public key of the client to its lists of authorized keys.

As I authenticate as a particular user known on the host, I will set up the openssh configuration for the host to allow the user to ssh from the guest. I will generate a private/public key pair on the guest and add the public key to the list of authorized keys on the host.

The ~$ ssh username@hostname command will use the private key available in the ~/.ssh/id_rsafile of the user executing the command on the guest computer. If I wanted to use any other key file, I could use the -i pathToKeyFile parameter and specify another key file. For example:

$ ssh -i pathToMyFile username@hostname

Now that I know what I want to achieve, let’s configure both the guest and the host.

With the default key file

The first step is to generate a private and a public key on the guest computer. I will issue the following command to generate an RSA key. I could use -t dsa to generate a DSA private key.

ssh-keygen -t rsa

The command will yield the following output. It is important not to type in a passphrase and to simply hit enter twice.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/stephan/.ssh/id_rsa): 
Created directory '/home/stephan/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/stephan/.ssh/id_rsa.
Your public key has been saved in /home/stephan/.ssh/id_rsa.pub.
The key fingerprint is:
24:c9:61:0f:c5:f3:69:24:92:21:2a:bf:6e:64:0b:17 stephan@stephan-Parallels-Virtual-Platform
The key's randomart image is:
+--[ RSA 2048]----+
|    . ==.        |
|   . +o=+ .      |
|. .   +.o= .     |
| oE    o  +      |
|  ..    S.       |
|. +.             |
| =..             |
| .o              |
| ..              |
+-----------------+

Now, I have two files in the ~/.sshdirectory of my guest computer: id_rsa and id_rsa.pub

I will now copy it to my host server with the OpenSSH scp command:

$ scp ~/.ssh/id_rsa.pub username@hostname:/home/username/.ssh/myguest_id_rsa.pub

On the host, I will now add the contents of the key to the list of authorized keys:

$ cat myguest_id_rsa.pub >> ~/.ssh/authorized_keys

The above command will append the contents of the myguest_id_rsa.pub file to the file authorized_keys. If the file does not exist, the command creates it.

Let’s now remove the no longer necessary file

$ rm myguest_id_rsa.pub

For better security, let’s set the proper rights on the authorized_keys file. 600 means that the owner only can read and write.

$ chmod 600 authorized_keys

Now, when I open an SSH connection with the given username from the guest computer (logged in as the user whose key is authorized on the host) to the host computer, I no longer have to provide a password. Instead of:

~/$ ssh stephan@10.211.55.10
stephan@10.211.55.10's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Sun Jun  3 16:44:22 2012 from stephans-macbook-pro.local

I now have

~/.ssh $ ssh stephan@10.211.55.10
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Sun Jun  3 17:26:52 2012 from stephans-macbook-pro.local
stephan@stephan-Parallels-Virtual-Platform:~$ 

With any key file

Let’s generate a key file outside of the ~/.ssh directory.

~/temp $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/stephan/.ssh/id_rsa): ./standalone_id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./standalone_id_rsa.
Your public key has been saved in ./standalone_id_rsa.pub.
The key fingerprint is:
d4:48:5d:30:10:80:f6:2d:75:1d:49:51:47:9f:5b:eb stephan@stephan-Parallels-Virtual-Platform
The key's randomart image is:
+--[ RSA 2048]----+
|     ...++o===..o|
|    o  ..oo.o  .o|
|   . . oo..    .o|
|      o..       +|
|       .S      o |
|              .  |
|               E |
|                 |
|                 |
+-----------------+

I generated the file in the folder I was in with ./standalone_id_rsa.

Let’s now copy the file to the host:

~$ scp ./standalone_id_rsa.pub username@hostname:/home/username/.ssh/myguest_id_rsa.pub

On the host, let’s add the public key to the list of authorized_keys:

~$ cat myguest_id_rsa.pub >> authorized_keys

Let’s remove the no longer necessary key file:

~$ rm myguest_id_rsa.pub

I can now connect with the provided file:

~/temp $ ssh -i ./standalone_id_rsa stephan@10.211.55.10
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Sun Jun  3 17:52:36 2012 from stephans-macbook-pro.local
stephan@stephan-Parallels-Virtual-Platform:~$ 

If I want to In this case, we must make sure that only the owner of the file has the rights to access the file. To achieve that, we will set the appropriate rights with chmod.

$ chmod 600 pathToMyKeyFile

References

Bash-Fu: Replacing text in multiple files with one Perl command


When I posted  Bash-Fu: Replacing text in multiple files in one line, I knew that there would be a simpler way to achieve that. Thanks to my former colleague Ben, here is an even simpler way that uses a perl command.

$ perl -p -i -e 's/0.6-SNAPSHOT/0.7-SNAPSHOT/g' `find ./ -name pom.xml`

This command replaces the occurences of 0.6-SNAPSHOT with 0.7-SNAPSHOT in all the pom.xml files in the current directory and sub-directories. It is the usage of the find command that provides the list of files to process to the perl command.

Pay attention to the ` that surround the find command. These are not quotes but accents.

Bash-Fu: Replacing text in multiple files in one line


We use Maven on our project for the build. The hitch is that when we want to change version numbers after each iteration, we need to do it by hand. I think I’m missing something with regard to Maven functionality or plug-ins but that’s for another post.

I wanted to replace the version for the iteration in all modules in one single command line. Here it is:

find . -name "pom.xml" -print0 | xargs -0 grep -lr -e '0.5-SNAPSHOT' | xargs sed -i 's/0.5-SNAPSHOT/0.6-SNAPSHOT/g'

The chain of commands is comprised of three parts:

  1. Find all the pom files and print the files (print0) for the next command
  2. Grep the required text and print the file names (-l) instead of the test for the next command
  3. Replace all occurences of the text text in each file

I’m sure there a better ways to do it with both Bash and Maven. Nevertheless, this is pretty handy.

%d bloggers like this: