Novell Home

SSO with SSH

Novell Cool Solutions: Trench
By Nicolas Barberis

Digg This - Slashdot This

Posted: 17 Jan 2006
 

It applies to:

  • Novell Linux Desktop

  • SUSE Linux Enterprise Server

  • SUSE LINUX Professional

  • Any other Linux

Introduction:

As a consultant, I access many different Linux and Unix machines for administration porpouses. Remembering all those passwords can be difficult, and risky (if you write them down - please don't). Through a feature of SSH we can implement a SSO access to our different Linux servers. We need either a Linux client with ssh or, from windows, an ssh client as putty (not covered).

From the readme file: Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Description

A normal login looks like this:

When we connect to the host machine, it prompts for user and password.

SSH has a feature called the public key authentication method, which consist in a public and private key similar to the RSA authentication method. We will use this feature so that the host machine grants us access without prompting for the password. We can configure a passphrase for additional security (recommended). We will create a pair of keys (public and private) that we will use to access our servers this way. These keys are created using the ssh-keygen command. You can find all the options that this command provides by issuing the command with no options:

Note that the number of bits has to be at least 512, though 1024 is recommended since larger keys don't improve security and makes things go slower. The command will prompt for the file location if the -f option is not used. The default location is $HOME/.ssh/id_(type). Also we could set the passphrase here (-N option), this passphrase is going to be asked every time we login. It's easier to remember 1 passphrase than many passwords. Also you could use keychain so that you will have to type the passphrase only one time per session. The command is:

# ssh-keygen -t dsa -b 512

Now we have two files created on $HOME/.ssh. id_dsa and id_dsa.pub. With the command

# ssh-keygen -y -f /root/.ssh/id_dsa

we can print the public key that we have to share to our host machines. That key has to be imported to the user's .ssh directory in their home directory.

NOTE: Any computer that holds the private key can access any host that holds the public key. It's important that the public key is only readable by the owner. The public key can be made, well, public, duh.

Now we must login to our host and copy that public key to the authorized_keys files located in the .ssh user directory. It might not exist, so we can create it. Copy the public key to the clipboard, log in as the intended user, go to the .ssh directory and insert the public key to the authorized_keys file.

On this same host we have to modify the /etc/ssh/sshd_config file to allow us to use this type of authentication. Modify the next values

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

Now, from the client machine, we can login without being asked for the password:

Conclusion

If handled correctly, this helps us with our every day tasks. Remember to use SSH when possible, since telnet is unreliable and insecure.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell