Headup: April 2012

Suppose you want to use Linux and OpenSSH to automize your tasks or you just don't want to type the password every time you connect to a server.

You can solve this issue by doing this.

Scenario:
skyline wants to connect to veyron using ssh without a password.

By default, the ssh command has the order to check for authentication: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

[0] skyline ~ $ ssh alvaro@veyron -v 
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to veyron[10.10.1.194] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /Users/alvaro/.ssh/identity type -1
debug1: identity file /Users/alvaro/.ssh/id_rsa type 1
debug1: identity file /Users/alvaro/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alvaro/.ssh/identity
debug1: Offering public key: /Users/alvaro/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/alvaro/.ssh/id_dsa
debug1: Next authentication method: password
alvaro@veyron's password:

Checking the ssh server authorized_keys configuration:

root # grep -e Authorized -e Pubkey /etc/ssh/sshd_config | grep -v '#'
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Generating public/private rsa key pair:

[0] skyline ~ $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/alvaro/.ssh/id_rsa): 
Created directory '/Users/alvaro/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/alvaro/.ssh/id_rsa.
Your public key has been saved in /Users/alvaro/.ssh/id_rsa.pub.
The key fingerprint is:
53:1d:8a:f8:93:a8:1e:e2:9d:db:f8:ca:3d:73:5a:60 alvaro@skyline
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|       . . o .   |
|      . . o .    |
|       o o       |
|      E S        |
|     o . o       |
|  . o   .        |
| . = *o..        |
|  . O+==         |
+-----------------+

[0] skyline ~ $ ssh alvaro@veyron mkdir -p .ssh 
Password: 
[0] skyline ~ $ cat .ssh/id_rsa.pub | ssh alvaro@veyron 'cat >> .ssh/authorized_keys'
Password:

[0] skyline ~ $ cat .ssh/config 
Host veyron
    User alvaro
    Hostname 10.10.1.194

Verbose connection:

[0] skyline ~ $ ssh alvaro@veyron -v 
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /Users/alvaro/.ssh/identity type -1
debug1: identity file /Users/alvaro/.ssh/id_rsa type 1
debug1: identity file /Users/alvaro/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alvaro/.ssh/identity
debug1: Offering public key: /Users/alvaro/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Apr 24 14:50:42 CDT 2012 from skyline.headup.ws on ssh
alvaro@veyron ~ $

Clean ssh execution:

[0] skyline ~ $ ssh veyron
Last login: Tue Apr 24 14:50:42 CDT 2012 from skyline.headup.ws on ssh
alvaro@veyron ~ $

As a sysadmin, I need to generate lots of passwords and sometimes if you do so without a script the generated password becomes really easy to guess, and also is hard to build a safe password.

Because of this I use this script to generate pseudo-random passwords, is not an un-crackable method but solves the main problem.
You can put this code at the end of your .bashrc file, in order to make it like a system command, please do not remove the other lines in the file.

skyline ~ $ cd
skyline ~ $ vi .bashrc

##
##      By: Alvaro Soto - alvaro@headup.ws
##      http://headup.ws/node/18
##
##      genpasswd: Generate a pseudo random password
##                  using a given length (default = 20).
##

genpasswd() {
    local l=$1
        [ "$l" == "" ] && l=20
        tr -dc A-Z0-9_[%#?]a-z < /dev/urandom | head -c ${l} | xargs
}

##
##
##

skyline ~ $ . .bashrc
skyline ~ $ genpasswd 
vie8e4d5naTCH70XvDyT
skyline ~ $ genpasswd 10
ts0QtdPe_x
skyline ~ $ genpasswd 5
5nw5Q

Is a less secure option to pwgen but it doesn't need a compiler.

skyline ~ $ emerge pwgen -s
Searching...    
[ Results for search key : pwgen ]
[ Applications found : 1 ]

*  app-admin/pwgen
      Latest version available: 2.06-r1
      Latest version installed: 2.06-r1
      Size of files: 30 kB
      Homepage:      http://sourceforge.net/projects/pwgen/
      Description:   Password Generator
      License:       GPL-2

In action:

skyline ~ $ pwgen 20 --capitalize --symbols --numerals --secure  1
H2]}K/JGVs<523Xuv?"Y 
skyline ~ $ pwgen 10 --capitalize --symbols --numerals --secure 1
JZ7a*&|:RP 
skyline ~ $ pwgen 5 --capitalize --symbols --numerals --secure 1
`Aw8D

Headup

Pages

Search This Blog

Tuesday, April 24, 2012

SSH login without password

Tuesday, April 10, 2012

Headup Portage Tree

Saturday, April 7, 2012

[Solved] su: /bin/bash: Permission denied

Thursday, April 5, 2012

Easy password generator command

About Me

Blog Archive

Labels