SSO with SSH
Novell Cool Solutions: Trench
By Nicolas Barberis
Digg This -
Posted: 17 Jan 2006
It applies to:
Novell Linux Desktop
SUSE Linux Enterprise Server
SUSE LINUX Professional
Any other Linux
As a consultant, I access many different Linux and Unix machines for administration porpouses. Remembering all those passwords can be difficult, and risky (if you write them down - please don't). Through a feature of SSH we can implement a SSO access to our different Linux servers. We need either a Linux client with ssh or, from windows, an ssh client as putty (not covered).
From the readme file: Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.
A normal login looks like this:
When we connect to the host machine, it prompts for user and password.
SSH has a feature called the public key authentication method, which consist in a public and private key similar to the RSA authentication method. We will use this feature so that the host machine grants us access without prompting for the password. We can configure a passphrase for additional security (recommended). We will create a pair of keys (public and private) that we will use to access our servers this way. These keys are created using the ssh-keygen command. You can find all the options that this command provides by issuing the command with no options:
Note that the number of bits has to be at least 512, though 1024 is recommended since larger keys don't improve security and makes things go slower. The command will prompt for the file location if the -f option is not used. The default location is $HOME/.ssh/id_(type). Also we could set the passphrase here (-N option), this passphrase is going to be asked every time we login. It's easier to remember 1 passphrase than many passwords. Also you could use keychain so that you will have to type the passphrase only one time per session. The command is:
# ssh-keygen -t dsa -b 512
Now we have two files created on $HOME/.ssh. id_dsa and id_dsa.pub. With the command
# ssh-keygen -y -f /root/.ssh/id_dsa
we can print the public key that we have to share to our host machines. That key has to be imported to the user's .ssh directory in their home directory.
NOTE: Any computer that holds the private key can access any host that holds the public key. It's important that the public key is only readable by the owner. The public key can be made, well, public, duh.
Now we must login to our host and copy that public key to the authorized_keys files located in the .ssh user directory. It might not exist, so we can create it. Copy the public key to the clipboard, log in as the intended user, go to the .ssh directory and insert the public key to the authorized_keys file.
On this same host we have to modify the /etc/ssh/sshd_config file to allow us to use this type of authentication. Modify the next values
Now, from the client machine, we can login without being asked for the password:
If handled correctly, this helps us with our every day tasks. Remember to use SSH when possible, since telnet is unreliable and insecure.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com