Sunday, October 17, 2010

Problem with passwordless SSH as ROOT equivalent user

Password less SSH using RSA/DSA public key helps a lot in automated file copying, scripts, cron, etc. but there found a trouble when a root equivalent user will try this mechanism.

It wont work if you just copy/append the public key to remote server's ~/.ssh/authorized_keys. The wrong thing here is when you generate public key it will make one with username root instead of the real user's name since the UID is 0. The hack to be done to fix this is just change the username at the end of the public key in authorized_keys at remote server.

. Change the username entry of Public key at remote location in authorized_keys from root to USER. If you have a single entry in authorized_keys you can run the below command. Otherwise open it in an editor and replace the ROOT with USERNAME for the specific key.

# sed -i 's/root/USER/g' /home/USER/.ssh/authorized_keys

Other general things to be taken care in SSH key mechanism are

· Set user and group of /home/USER to USER

# chown USER.USER –R /home/USER

· Changed the permission of /home/USER/.ssh to 700

# chown 700 /home/USER/.ssh

·
Changed the permission of all files under /home/USER/.ssh to 600

# chmod go-rwx /home/USER/.ssh/*


· Use ssh –i /home/USER/.ssh/id_rsa option for password less authentication

· Restart SSHD.

No comments: