MRG Interactive Developments

Mesoscale Research Group, McGill University

Establishing Batch Mode Connections between OpenSSH and SSH2

Setup for Password-free (Batch Mode) Secure Connections

Establishing a Password-free Secure Connection

General Information about Secure Connections

The best place to get the full story about secure connections is from the open version of the SSH protocol suite of network connectivity tools, OpenSSH. The OpenSSH suite includes secure tools for remote logins (ssh - replaces rlogin and telnet), remote file copy (scp - replaces rcp) and file transfer (sftp - replaces ftp). In addition, basic utilities for key generation and server functionality are provided with the package.

Some of the advantages of the OpenSSH secure network connection package are (from the OpenSSH FAQ page):

Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
Improved privacy. All communications are automatically and transparently encrypted.
Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
No retraining needed for normal users.
Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting .rhosts or /etc/hosts.equiv authentication (to prevent DNS, routing, or IP-spoofing).
Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
Any user can create any number of user authentication RSA keys for his/her own use.
The server program has its own server RSA key which is automatically regenerated every hour.
An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
The software can be installed and used (with restricted functionality) even without root privileges.
The client is customizable in system-wide and per-user configuration files.
Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
Complete replacement for rlogin, rsh, and rcp.

The basics about keys go something like this. SSH (SSH2 and OpenSSH) uses keys as well as passwords to identify itself to a remote server. The generated keys are a seemingly random assortment of characters that provide authentication during the secure connection. During the key generation process both public and private keys are constructed. Private keys should be kept on the local machine, but public keys can be distributed to remote servers to which the user requires password-free access. Whenever a connection is requested on the remote server, the public key is encrypted and decripted by the private key. If the keys match then the connection is established; otherwise, the user is prompted to enter a password interactively. For more information on exactly how keys work, have a go at "Introduction to Public-key Cryptography".

Setup for Password-free (Batch Mode) Secure Connections

The basic priciple that we're going to follow is pretty simple to understand (we'll be connecting from machine B to machine A):

generate keys on machine A (server)
generate keys on machine B (client)
transfer and install public keys from B to A
authorize secure connection from B on A

Of course, you'll need accounts on both machines A and B (although you need not have the same login name on both). We'll assume that we're working with two SSH2 systems, except as noted for OpenSSH. Run
ssh -v
on each machine to make sure you know what flavours of the SSH software are installed on each. (Note that the NCAR Supercomputers run OpenSSH and that local University at Albany servers run SSH2, so you'll have to follow the translation instructions provided below if you're creating a connection from NCAR SCD.) First let's generate the keys on the server (machine A):
ssh-keygen -t rsa
This basically gets our local directory ~/.ssh2 set up correctly on the server (cedar if you're at SUNY). Next we'll generate the keys on the client machines (machine B, one of the NCAR supercomputers in our example):
ssh-keygen -t rsa
ssh-keygen -t dsa
These generate sets of public keys (id_rsa.pub and id_dsa.pub) and private keys (id_rsa and id_dsa). Now, if the client (NCAR supercomputer in the example) machine is running OpenSSH and the server is running SSH2, then you'll need to translate the key. This can be accomplished by running (on machine B, the client):
ssh-keygen -e -f ~/.ssh/id_dsa.pub > id_dsa_ssh2.pub
Now we concatenate and transfer the (machine B) client's public keys to the server (machine A):
cd ~/.ssh2 (or, if using OpenSSH): cd ~/.ssh
cat id_dsa.pub >newKeys
cat id_rsa.pub >>newKeys
scp newKeys user@local.domain:.ssh2/newKeys
(if using OpenSSH): scp id_dsa_ssh2.pub user@local.domain:.ssh2/id_dsa_ssh2.pub
Of course, you'll need to provide logins for each of these file transfers (you could just as well use sftp if you'd prefer). Following the transfer of the keys from machine B (client) to A (server), you need to finish the authorization process (on machine A, the SUNY machine in our example):
cd ~/.ssh2
cat newKeys >>authorized_keys
(if using OpenSSH on the client): echo 'Key id_dsa_ssh2.pub' >>authorization
And that should be it. Now you should try a remote login from the client (machine B):
ssh user@local.domain
You should now be able to access the server in batch mode (without a password prompt).

If something has gone wrong, and you still can't access the server, you should first make sure of the SSH versions used by the two machines. Running the version query
ssh -v
will tell you which flavours of SSH are present on the machines. If you still have trouble, a good applied resource is Password-free login with SSH (if this link is broken, a text-only version resides here). Many more examples and trouble shooting guides are also available online.

Establishing a Password-free Secure Connection

After the setup of the secure server is complete, you will be able to connect in (non-interactive) batch mode using the OpenSSH utilities ssh and scp. For example from the command line you can type:
ssh user@local.domain
to open a remote shell on the server. More useful, however, is the ability to transfer files via scp in automated scripts. To transfer a file "foo" from the client to the server, the command would look something like:
scp /path/to/foo user@local.domain:/path/to/copied/foo
Of course, the ssh command can also be used to execute commands on the remote machine in the same way as rsh can be used in a non-secure environment in which the ~/.rhosts file allows password-free access.

Questions or Comments? Contact our WebMaster.