Print Page | Close Window

Passwordless ssh login

Printed From: Zumasys
Category: AccuTerm
Forum Name: Connectivity
Forum Description: Questions about serial, modem, telnet and secure shell connections?
URL: https://forum.asent.com/forum_posts.asp?TID=2745
Printed Date: July 29 2021 at 7:50pm
Software Version: Web Wiz Forums 12.03 - http://www.webwizforums.com


Topic: Passwordless ssh login
Posted By: PSchellenbach
Subject: Passwordless ssh login
Date Posted: April 13 2021 at 3:48pm
Sometimes it is desired to have automatically log in a user when they open an AccuTerm session. This is possible using secure shell connections with public/private keys. The steps to do this are:

  • Create a new session (you can also modify an existing session file).
  • Select "secure shell" as the connection type.
  • In the connection settings, prepend the user name to the host name or host IP with an @. For example: joe@192.168.1.3
  • Select "public key" as the authentication method.
  • Create a key pair for the user. Do not use a password for the private key (you will receive a warning).
  • Save the public key on the host in the users ~/.ssh/authorized_keys file
Now when the user opens this session, AccuTerm will log the user in using the user name supplied in the host field, and authenticate the user using his private key.

There are security implications here, so beware. Anyone acquiring a copy of the user's private key will be able to log in to the server as that user without a password. AccuTerm normally stores private keys in the user's profile (C:\users\<username>\AppData\) directory, so if you trust Windows to provide secure access to this directory, the key should be adequately protected.






Replies:
Posted By: TonyG
Date Posted: June 04 2021 at 3:50pm
When using a key created by ssh-keygen or another utility, AccuTerm may return the following error messages. It's important to understand each message:

1) File is not a valid key!
2) Only OpenSSH and PUTTY format SSH2 RSA and DSA keys are supported.
3) OpenSSH keys must use 3DES or AES128 cipher:
4) encrypted PUTTY keys must use AES256 cipher.

Interpretation:
1) You may see this same error after it accepts the key, and later says it's an invalid "private key". The key may be valid for other clients, just not for AccuTerm.
2) Default key generation everywhere is probably SSH2 RSA. This line just provides a setup for the next two statements.
3) Note AES128 which is adequate for NSA "Secret" encryption.
4) AES256 is required for NSA "Top Secret". This is often a default but note that AccuTerm only allows 128 bits for OpenSSH (OpenSSL) keys, so a 256 bit key that isn't created with PuTTY will not be valid.

If you are creating keys with openssl and ssh-keygen, here is how to do it. This assumes Windows using "Git for Windows" with "Git BASH". I am not including details for adding comments or a passphrase.

I have not been able to use ssh-keygen by itself to generate an OpenSSH key that AccuTerm will use. For example, this does not work for me, perhaps someone can suggest an alternative:

> ssh-keygen -Z 3des-cbc -t rsa -b 4096 -f somename

However, the openssl command does work.

> winpty openssl genrsa -aes128 -out somename 4096

The 'winpty' part must be used in git bash due to an issue with passing stdin/stdout to openssl. If you are using another CLI then this may not be required.

Note the -aes128 spec to generate the 128bit AES cipher required for OpenSSH.

The -out spec says the following argument is the filename for the private key. In my experience it's best not to put an extension on this, like .prv or .ppk or .pvk (the latter two imply PuTTY which shouldn't be applied to an OpenSSH key). Lately I've been using my initials "tg". This can then be moved to any system that I use (and having had to move my keys around to different systems, that IS convenient). You may prefer to use the hostname of your client system, or to use the hostname of the server to which you connect.

The above command only creates the private key with no extension. You now need a public key that will be put into any system to which you SSH:

> ssh-keygen -y -f somename > somename.pub

http://man.openbsd.org/OpenBSD-current/man1/ssh-keygen.1" rel="nofollow - Detailed docs of each of those options.

The public key must now be put into the server so that it will trust the client with the private key (this is what Pete means with reference to the authorized_keys file in the server) :

> ssh-copy-id -i somename someuser@host

The server must accept password authentication for this operation - yes, that's a paradox when we're trying to SSH without a password. In these notes I prefer not to go into the options to make this happen.

With the server now aware of the client, use the info provided by Pete to configure AccuTerm to connect. When you are prompted for a password by ssh-copy-id, it's asking for the actual OS/user. Once you have the pubkey auth setup, when you connect in, if you get prompted for a password, it will be for the private key passphrase.

When using a key created by PuTTY (puttygen) you will find that the "old" key format (.pem) will not work, but "new" key format (.pvk) should work. If your .pvk private key does not open with AccuTerm, try just removing the extension. That worked for me at some point but I have not been able to reproduce the conditions.

Another anomaly to note: You may wonder why AccuTerm doesn't find a key you just created. Watch the folders. Accuterm looks for SSH key files by default in this folder:
C:\Users\youruserid\AppData\Roaming\Zumasys\atwin80\ssh\keys
But when using tools mentioned above, the keys are generally stored in or around:
C:\Users\youruserid\.ssh
Personally I would hope that AccuTerm would always default to looking in the last folder where it found a successful key.

I hope Pete can tell us the difference between "Load Existing Key" and "Import key" - I don't see a diff, except that Import does default to the last folder as noted above.

I hope that helps someone else to make use of this great feature that I enjoy every day. (Well, I enjoy it when I'm not fighting with servers over security, but after that ...

-------------
Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com
http://Nebula-RnD.com/blog
http://Twitter.com/TonyGravagno
http://groups.google.com/group/mvdbms
https://www.linkedin.com/groups/64935



Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.03 - http://www.webwizforums.com
Copyright ©2001-2019 Web Wiz Ltd. - https://www.webwiz.net