[Beowulf] Password less ssh

Robert G. Brown rgb at phy.duke.edu
Wed Dec 8 17:47:30 PST 2004 

On Wed, 8 Dec 2004, Suvendra Nath Dutat wrote:

> On Wed, 2004-12-08 at 16:01 -0500, Robert G. Brown wrote:
> > On Wed, 8 Dec 2004, Suvendra Nath Dutta wrote:
> > 
> > > This is exactly the steps I followed from another past email in this list. 
> > > But it didn't work for me. Which is why I wondered if something was 
> > > different about this particular version of OpenSSH or SUSE.
> > 
> > I doubt it, although I don't use SUSE so I cannot be certain.
> > 
> > I think (in agreement with several others on the list) that the problem
> > is that you were doing things as root that are really dangerous, really
> > bad things to do as root.  For example, if you REALLY copied root's
> > /root/.ssh directory to all your users' directories and had set root's
> > directory up so that password-free login was possible, it is quite
> > possible that now all of your users can login as root without a
> > password.
> > 
> 
> With trepidation (always advised when speaking to someone who harnesses
> the Brahma), I wonder if this absolutely true. Because, public keys
> don't identify users, they identify machines. So although every user
> uses public keys generated by the root user, they all just identify the
> originating machine. SSH verifies the machine is who they claim to be,
> and allow access to the user (but only as the user). If someone now says
> ssh -l root clientmachine they'll be asked for the root password. This
> is I believe as it should be and easily verified to be true (I just did
> it before emailing to be sure).

Try it not as root.  In fact, if you've copied the same keypairs into
all your user's directories:

  a) su to root 
  b) su to the first user of your choice (user1)
  c) ssh machine -l user2

and you should be able to login as user2 from user1's account without a
password.  In the best experimental tradition, I just tried this, and it
most definitely >>can<< work.

Whether or not it DOES work, and whether or not it works for root in
particular, depends (IIRC) on the contents of various files in
/etc/pam.d and settings in /etc/ssh/ssh*_config.  As in I believe that
one can set it up so that passwordless root logins from any source are
always forbidden -- or not -- in the authentication stack in various
places.  I think this is one of the reasons that ssh seems so
complicated and seems to work differently for different persons on
different machines.  I also could be mistaken -- I'm not a PAM expert
and am not totally familiar with the effect of all the controls therein,
although I have played with it various times in the past to try to get
things to work.

That's the (double) reason I was warning you, as I don't know whether or
not there are things in root's authentication chain that will prevent
password free login in your particular SUSE setup, but it is very likely
that what you've done will enable any user to become any other user at
will.  This is obviously just as bad.  Each user needs their own private
keypair, or Bad Things Can Happen.  

Hmmm, on some of MY systems (at home inside my firewall), I've just set
it up so one CAN do ssh hostname -l root if one copies the appropriate
public key into /root/.ssh/authorized_keys.  So that certainly can work
as well.  Yessir, Bad Things.  You Have Been Warned.

  rgb

-- 
Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu

More information about the Beowulf mailing list