Article

(View Disclaimer)

It applies to:

• Novell Linux Desktop

  
  

• SUSE Linux Enterprise Server

  
  

• SUSE LINUX Professional

  
  

• Any other Linux

  
  

Introduction:

As a consultant, I access many different Linux and Unix machines for administration porpouses. Remembering all those passwords can be difficult, and risky (if you write them down - please don't).
Through a feature of SSH we can implement a SSO access to our different Linux servers. We need either a Linux client with ssh or, from windows, an ssh client as putty (not covered).

From the readme file: Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and
to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Description

A normal login looks like this:

Click to enlarge.

When we connect to the host machine, it prompts for user and password.

SSH has a feature called the public key authentication method, which consist in a public and private key similar to the RSA authentication
method. We will use this feature so that the host machine grants us access without prompting for the password. We can configure a passphrase for additional security (recommended). We will create a pair of keys (public and private) that we will use to access our servers this way. These keys are created using the ssh-keygen command. You can find all the options that this command provides by
issuing the command with no options:

Click to enlarge.

Note that the number of bits has to be at least 512, though 1024 is recommended since larger keys don't improve security and makes things go slower. The command will prompt for the file location if
the -f option is not used. The default location is $HOME/.ssh/id_(type). Also we could set the passphrase here (-N option), this passphrase is going to be asked every time we login. It's easier to remember 1 passphrase than many passwords. Also you could use keychain so that you will have to type the passphrase only one time per session. The command is:

#
ssh-keygen -t dsa -b 512

Click to enlarge.

Now we have two files created on $HOME/.ssh. id_dsa and id_dsa.pub. With the command

#
ssh-keygen -y -f /root/.ssh/id_dsa

we can print the public key that we have to share to our host machines. That key has to be imported to the user's .ssh directory in their home directory.

Click to enlarge.

NOTE:
Any computer that holds the private key can access any host that holds the public key. It's important that the public key is only readable by the owner. The public key can be made, well, public, duh.

Now we must login to our host and copy that public key to the authorized_keys files located in the .ssh user directory. It might not exist, so we can create it. Copy the public key to the clipboard, log in as the intended user, go to the .ssh directory and insert the
public key to the authorized_keys file.

Click to enlarge.

On this same host we have to modify the /etc/ssh/sshd_config file to allow us to use this type of authentication. Modify the next values

PubkeyAuthentication
yes

AuthorizedKeysFile
.ssh/authorized_keys

Now, from the client machine, we can login without being asked for the password:

Click to enlarge.

Conclusion

If handled correctly, this helps us with our every day tasks. Remember
to use SSH when possible, since telnet is unreliable and insecure.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.