Script to set up SSH trusted keys
20 July 2011
If you ever have to type the same sequence of three commands again, then turn this into a script - that’s a general rule on UNIX, or any other systems for that matter were the command line rules.
If you have to run process or copy files to another machine, than you are probably working with OpenSSH . One can establish a trust relationship between computer A / account A and Computer B / account B, so that ssh will not ask for a password when logging on to Computer B /account B while you are on computer A / account.
This effect is achieved by means of sharing a public / private key pair - hence the name trusted key; Computer A owns the private key, computer B receives the public key; During the logon process, computer A encrypts a message with its private key (only computer A is supposed to have this private key); computer B can use it’s public key in order to decrypt and verity the message, so that computer B knows that its computer A who is calling, and not some imposter.
Unfortunately it takes quite a long sequence of commands to set this up correctly, also most of the guides on the Internet that describe the process get it wrong. So it’s time for some scripting magic, the script will automate set up of trusted key. First of all the script can be seen here
./maketrust.sh -m <hostname> -u <user> [ -p <password> | -P | -d | -h]
This script automates setup of trusted key between the currently logged on
user account on the current host on the one hand, and the
remote <hostname> and <user> account on the other hand.
If the command succeeds then SSH/SCP/SFTP commands will not require
a password when logging on to <user>@<hostname>, while your are logged
in on the current user on current host.
Command line options
-m Remote host name
-u Remote user
-p password of remote machine (-P option is preferable, if you do not want others to
see your password with ps command, while this script is running).
-P prompt the user to enter command via terminal.
-d (optional) debug option. Creates log files maketrust.log and maketrust.log.expect.
So the process is as follows. Lets say o $HOSTNAME and $USERNAME are the local host and user names. o $RHOSTNAME and $RUSERNAME are the remote host and user names.
* On the local computer the public and private key pair is created
ssh-keygen -t dsa -f id_dsa -P ''"
* On the local computer installs the public and private key pair
mkdir -p ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}
mv id_dsa ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}
mv id_dsa.pub ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}
* On the local computer: edit the local machine’s SSH configuration so that it will pick up the correct public/private key pair. Add the following line to ~/.ssh/config file
IdentityFile ~/.ssh/ident/%u@%l/%r@%h/id_dsa
Now the last two steps were very important: SSH will now look for the keys in specific location, and you can install multiple keys without them interfering with one another; This IndentityFile definition will instruct OpenSSH to look for each trusted key in its separate directory:
* Set correct permissions (only the current user should be allowed to read from .ssh)
chmod 0700 ~/.ssh
chmod 0700 ~/.ssh/${USERNAME }@${ HOSTNAME}
chmod 0700 ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}
chmod 0700 ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}
chmod 0600 ~/.ssh/config
chmod 0600 ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}/id_dsa
chmod 0600 ~/.ssh/${USERNAME }@${ HOSTNAME}/${RUSERNAME}@${RHOSTNAME}/id_dsa.pub
* On the remote machine Copy id_dsa.pub to the remote machine Append content of id_dsa.pub to ~/.ssh/authorized_keys2
cat id_dsa.pub >>~/.ssh/authorized_keys2
Create the symbolic link
ln -s ~/.ssh/authorized_keys2 ~/.ssh/authorized_keys
Again set all permissions
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/ authorized_keys2
Scripting magic
Basically it’s a shell script generates the keys and installs them on local computer, then it that writes an installation shell script that contains the public key, later it writes two expect script to copy & run the installation script on another machine. Sort of I’d rather write programs to write programs than write programs By making a script out the long wound process, I would see the error that is apparently hidden in others tutorials that cover this subject.
Portability of shell scripting
Once upon a time you could rest assured that each Linux installation has a bash script shell; now that is no longer true. Ubuntu for instance gave up bash in favor of the dash shell. Well, I am still sticking with bash though; but any software sort of dies due to sudden changes of its environment; I guess this will true as long as you do not have real talking and improvising robots (Also see my Wall-E test of intelligent systems ).