So one day, My superior gave me a task to create a process that transport data (in text file) from one nix box to another nix box. Since the target box has internet facing interface, public IP, and doesn’t have any firewall installed in any form whatsoever, it has to be over SSL. So it’s either sftp or scp. The file transport will be part of a batch process. So I choose SCP over SFTP, since it only require one line of command instead of a scripted process.
Since the process will be an unattended one, manually typing password is out of question, so I turned to public key authentication. Here are the steps:
1. Make sure the target SSH server accept public key authentication
As root, open sshd_config on the target server, usually located in /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Make sure these lines are available and not commented
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
2. Make sure the ssh client know where the private key is located
As root, open ssh_config on the client machine, usually located on /etc/ssh/ssh_config
sudo nano /etc/ssh/ssh_config
Make sure this line is available and not commented
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
3. Create a pair of private and public keys
To do public key authentication, you need to have a pair of keys. Private key is stored on ssh client machine as your identification, and public key is stored on the target ssh server, used by sshd to authenticate you on ssh server.
Log into the ssh client machine with the account that you’ll be using to connect to target server, and issue this command:
ssh-keygen -t dsa
The output should be similiar to this
ikhsan@M5mobile:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/ikhsan/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ikhsan/.ssh/id_dsa.
Your public key has been saved in /home/ikhsan/.ssh/id_dsa.pub.
The key fingerprint is:
be:4d:36:7c:29:a9:e0:8a:c0:c5:d5:65:40:fe:97:4b ikhsan@M5mobile
Since my requirement was passwordless authentication, I didn’t enter any passphrase. Note that the private (id_dsa) and public (id_dsa.pub) keys have been generated, and stored .ssh directory
ikhsan@M5mobile:~$ cd .ssh
ikhsan@M5mobile:~/.ssh$ ls
authorized_keys id_dsa id_dsa.pub id_rsa id_rsa.pub
4. Install the public key into the target ssh server
Copy the public key into target ssh server
ikhsan@M5mobile:~$ cd .ssh
ikhsan@M5mobile:~/.ssh$ scp id_dsa.pub surfer@M5base:/home/surfer/.ssh
surfer@M5base's password:
id_dsa.pub 100% 605 0.6KB/s 00:00
log into the ssh server as the user that will use the passwordless authentication, in my case, it’s “surfer”. Install the public key into the server by issuing this command:
surfer@M5base:~$ cd .ssh
surfer@M5base:~/.ssh$ cat id_dsa.pub >> authorized_keys
The above commands will add the public key into authorized_keys file. It is important to do add the key by using the above command so that any existing keys in the authorized_keys file are not overwritten.
update@10/0/2008
Sometime, the .ssh folder is not available, and you are required to create them manually. This may cause some problem regarding the access restriction of that folder. To create the folder, do the following:
surfer@M5base:~$ mkdir .ssh surfer@M5base:~$ chmod -R 700 .ssh
Go here for more about the problem.
5. Test your connection
Try to log to the target ssh server, the output should be close to this:
ikhsan@M5mobile:~/.ssh$ ssh surfer@M5base
Linux M5base 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Oct 31 21:57:19 2007 from localhost
surfer@M5base:~$
Now you can test your setup by copying file from ssh client machine to the ssh server:
ikhsan@M5mobile:~$ scp w3sp_BigPianoAlbum.rar surfer@M5base:/home/surfer w3sp_BigPianoAlbum.rar 100% 33MB 11.2MB/s 00:03
… and you’re done
Update@10/06/08
If you created the .ssh folder manually, you might run into some problem where the public key authentication is bypassed due to the security level of the .ssh folder. Go here for the solution regarding this problem
boleh juga, yg ini artikelnya jangan diapus yah, penting kalo service2 begini he.he.h.ehe
Will do commander!
Good stuff! Followed your instructions step-by-step in an solaris environemnt and it worked perfectly! Saved me a lot of headache! Thanks!
glad to hear that 🙂
[…] http://www.techotopia.com/index.php/Configuring_Ubuntu_Linux_Remote_Access_using_SSH http://outhereinthefield.wordpress.com/2007/10/31/passwordless-scp-authentication-for-unattendedbatc… http://www.debuntu.org/ssh-key-based-authentication Rate this:Like this:LikeBe the first to like […]
[…] it in a single line. Since the sftp command does not support “sshpass” you have to have key-based passwordless authentication. This is IMHO the most correct way to do these kind of […]