Passphrase-less Authentication and using ssh-agent

Introduction:

Passphraseless Authentication is logging onto a remote system without supplying the passphrase or password.The disadvantage with password authentication is that if transmitted in plaintext, then there is  a possibility that is can  sniffed by someone over the network and read it since it is in plaintext , can be logged by keystroke logger , can be seen over the shoulders as you type and also susceptible to brute-force attacks . OpenSSH allows public key authentication as an alternative to password authentication.Public key Authentication uses a key-pair for authentication. The private key is stored securely on the local host while the public key is copied to the remote SSH server.We can use these keys for passphraseless authentication  either by using
1)  ssh-agent or
2)  protecting the private key with a blank password which is not recommened

Key Generation: 

ssh-keygen is a utility that can be used to generate authentication keys. It can be used to create RSA keys for use by SSH protocol version 1 and RSA/DSA keys for use by SSH protocol version 2.The type of key to be generated is specified with the -t option.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/aisha/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/aisha/.ssh/id_rsa.
Your public key has been saved in /home/aisha/.ssh/id_rsa.pub.
The key fingerprint is:
b5:4e:c6:a0:b0:8e:4f:44:a8:b7:d6:1c:b0:e1:36:94 aisha@test.example.com

It will ask for a password to protect the private key. Care should be taken to provide a very strong password. The command  creates both private and public keys under .ssh directory of user's home directory.  id_rsa is the private key and id_rsa.pub is the public key .If we want to specify different filename , we can use the -f option with ssh-keygen


$ ls -l
-rw-------  1 aisha users  951 Oct 12 11:57 id_rsa
-rw-r--r--  1 aisha users  253 Oct 12 11:57 id_rsa.pub

Public Key Authentication:

Once keys are generated, we need to copy the copy the contents of public key (id_rsa.pub) and append it to the authorized_keys file on the remote SSH server. authorized_keys stores the public key where each public key is on a separate line.

aisha@aisha-laptop:~/.ssh$ ls -l authorized_keys
-rw------- 1 aisha users 402 2009-10-10 23:30 authorized_keys

We are now in a position to test the Public key Authentication.

$ ssh  test.testdomain.com  uptime
 Enter passphrase for key '/home/aisha/.ssh/id_rsa': 
 12:04:50 up 27 days, 27 min,  5 users,  load average: 0.00, 0.00, 0.00

It will ask for the password to decrypt the key . Once  the correct password is provided , the user is able to authenticate to the remote host . If  a wrong password is provided that protects the key  , then  it will fall to password authentication. Our aim is to achieve passwordless authentication. We will check that in the next section.

Passphraseless Authentication:

To setup passphraseless Authentication , we will use ssh-keygen to generate keys . When ssh-keygen asks for a passphrase to protect the private key , we will simply press enter to keep the passphrase blank. Now copy the contents of the public key to authorized_keys file on the remote machine which setups the keys for passowrdless authentication.

$ ssh test.testdomain.com uptime
 13:05:01 up 27 days,  1:27,  5 users,  load average: 0.00, 0.00, 0.00

Phew! . That demonstrates successful authentication without typing the password but is not at all  recommended as the passphrase is used to protect the key making it unusable for anyword who does not know the passowrd.We always should use a strong passowrd to protect the private key to prevent stealing of  keys. Alternatively , we can use `ssh-agent' which allows us protect our keys with passphrase but  also helps us for authentication without typing the passphrase.

Using ssh-agent:

ssh-agent is a utility that hold private keys used for public key authentication (RSA, DSA).To start ssh-agent , we will simply type ssh-agent in our terminal.

[aisha@localhost /]$ ssh-agent 
SSH_AUTH_SOCK=/tmp/ssh-HGhwQP4786/agent.4786; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4787; export SSH_AGENT_PID;
echo Agent pid 4787;

The ssh-agent generates some output . We need to set these environmental variables manually as the ssh client program `/usr/bin/ssh' will communicate with ssh-agent using these environmental variable . Alternatively , we can use the bash `eval' command that executes the contents of commands

[aisha@localhost ~]$ ssh-agent 
SSH_AUTH_SOCK=/tmp/ssh-IuUtmx7064/agent.7064; export SSH_AUTH_SOCK;
SSH_AGENT_PID=7065; export SSH_AGENT_PID;
echo Agent pid 7065;
[aisha@localhost ~]$ env | grep SSH_AUTH
[aisha@localhost ~]$ eval `ssh-agent`
Agent pid 7069
[aisha@localhost ~]$ env | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-hEfSsG7068/agent.7068

To kill the ssh-agent, we can use the -k option.

[aisha@localhost ~]$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 7069 killed;

SSH-Agent Key Management:

After firing up the ssh-agent, we need to add keys to the agent. `ssh-add' is a utility that adds RSA or DSA identities to the authentication agent
The following are common options to use with ssh-add

-l: To list the keys currently associated with the agent
-d: To delete the keys from the agent.

Simple typing ssh-add on the command line , will add all the keys of the user to the agent.If the keys are protected by a passowrd , it will ask for the passowrd to decrypt the keys.

[aisha@localhost ~]$ ssh-add 
Enter passphrase for /home/aisha/.ssh/id_rsa: 
Identity added: /home/aisha/.ssh/id_rsa (/home/aisha/.ssh/id_rsa)
Identity added: /home/aisha/.ssh/identity (aisha@localhost.localdomain)

In our case , /home/aisha/.ssh/identity is not protected by a password.

To list the keys associated with the agent,we need to use the -l option.

$ssh-add -l
2048 c3:6b:14:77:5e:8d:f5:d8:bc:1f:b6:bf:88:af:1c:a3 aisha@localhost.localdomain (RSA1)
2048 88:a2:4f:fe:49:8a:99:fd:7c:3d:df:39:59:1a:5e:c1 /home/aisha/.ssh/id_rsa (RSA)

To remove the keys , we will use like this

[aisha@localhost ~]$ ssh-add -d
Identity removed: /home/aisha/.ssh/id_rsa (/home/aisha/.ssh/id_rsa.pub)
Identity removed: /home/aisha/.ssh/identity (aisha@localhost.localdomain

The above (-d) will remove all the keys associated with the agent.If we need to remove a particular key , we will pass the key file as an argument.

$ ssh-add -d  /home/aisha/.ssh/id_rsa 
Identity removed: /home/aisha/.ssh/id_rsa (/home/aisha/.ssh/id_rsa.pub)


Passphraseless Authentication using ssh-agent:

For passphraseless Authentication , we will generate the keys using ssh-keygen and will use a strong passphrase to protect the private key. The contents of public key will be copied to the authorized_keys file on the remote SSH server. Once done will use ssh-add to associate keys with the ssh-agent.

[aisha@localhost ~]$ eval `ssh-agent`
Agent pid 16335
[aisha@localhost ~]$ ssh-add 
Enter passphrase for /home/aisha/.ssh/id_rsa: 
Identity added: /home/aisha/.ssh/id_rsa (/home/aisha/.ssh/id_rsa)

$ ssh test.testdomain.com uptime

 13:26:19 up 27 days,  1:49,  5 users,  load average: 0.00, 0.00, 0.00

Phew! . We successfully demonstrated authentication without the need to enter the passphrase. Only time we need to enter the passphrase is when we add keys to the agent . After that we can do passphraseles authentication to any number of hosts where the public key is shared without the need to enter the passphrase any more .


Some Limitations of SSH-Agent:

We have seen that  ssh-agent provides a safer method of passphraseless authentication other then the method of protecting the private key with a blank password. But , ssh-agent has also got some security concerns which should be taken into consideration. When we start a ssh-agent , it creates a unix-domain socket under /tmp which is rwx for world . The good thing is that the the socket is made accessible only to the current user as instances of every ssh-agent running has got restrictive permissions which is accessible only to the user .  But please note that , it can be easily abused by the root user .

$ ls -ld /tmp/ssh-*


drwx------  2 aisha  users   4096 Aug 19 13:36 /tmp/ssh-EiFcv14604
drwx------  2 vsftpdz vsftpdz 4096 Oct 12 14:41 /tmp/ssh-HxgJF15447

Conclusion:

Thus we have demonstrated how to ged rid of password authentication using Public key Authentication. We have seen how to create keys and use these keys for authentication . We have also seen using ssh-agent , managing keys with ssh-agent and using ssh-agent for passphraseless Authentication.

Comments

Popular posts from this blog

PSSH : Parallel SSH to execute commands on a number of hosts

How to add check_http as a service in Nagios Monitoring using NRPE

Configuring Nagios to monitor services using NRPE