Ssh private keys without passphrase

From MinorFs Wiki

Jump to: navigation, search

HOWTO

First make sure you have set a password for 2rulethemall.

We will need to introduce minorfs to our pseudo persistent ssh process by invoking ssh. We will let ssh try to use the non existing private key in order to let MinorViewFs gain knowledge about our new pseudo persistent process. ssh will ask for a password, but pressing CTRL-C at that point will be ok. 

  ~> ssh rob@bogus.polacanthus.net -i /mnt/minorfs/priv/home/id_rsa
  Warning: Identity file /mnt/minorfs/priv/home/id_rsa not accessible: Nosuch file or directory.
  Password:

For security purposes you may want to disable your history at this point,

Now that MinorViewFs has created the private storage for our pseudo persistent ssh process, we must use our admin tool to locate and disclose this directory: 

  ~> 2rulethemall
  2rulethemall password:thisisabadpassword
  2rulethemall path=/mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c72e
  ~> grep ssh /mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c72e/*/*.xml
  /mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c72e/a3a0e537fb2b05e06cf653aa1514eca492792ee8/meta.xml:
  <file>/usr/bin/ssh</file>

We have found that in our case, /mnt/minorf/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c72e/a3a0e537fb2b05e06cf653aa1514eca492792ee8/ is a path that gives access to 'all' instances of ssh (with the same parent chain and the same uid). For our '1st' instance we will need to use the 'inst1' sud directory.

We should remember that we are trying to do least authority, we should thus stop using the powerfull strongpath, by getting tge strongpath for the inst1 directory. In order to do this we shall use the attr linux tool to fetch the cap extended attribute for this directory: 

  ~> attr -g cap /mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c72e/a3a0e537fb2b05e06cf653aa1514eca492792ee8/inst1
  Attribute "cap" had a 57 byte value for /mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c72e/a3a0e537fb2b05e06cf653aa1514eca492792ee8/inst1:
 /mnt/minorfs/cap/586026bc7cd37de3049711cddc2d60a0824dd3bd


We can now run the ssh-keygen in order to generate the private key. Dont provide any passphrase! 

  ~> ssh-keygen
  Generating public/private rsa key pair.
  Enter file in which to save the key (/home/rob/.ssh/id_rsa): /mnt/minorfs/cap/586026bc7cd37de3049711cddc2d60a0824dd3bd/id_rsa
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in /mnt/minorfs/cap/586026bc7cd37de3049711cddc2d60a0824dd3bd/id_rsa.
  Your public key has been saved in /mnt/minorfs/cap/586026bc7cd37de3049711cddc2d60a0824dd3bd/id_rsa.pub.
  ~> cp  /mnt/minorfs/cap/586026bc7cd37de3049711cddc2d60a0824dd3bd/id_rsa.pub
  ~>

Now we are done with the administration strongpaths, so its safe to turn the history back on. We can now move the id_rsa.pub file to the server 


  ~> scp id_rsa.pub rob@bogus.polacanthus.net:
  Password:
  id_rsa.pub                        100%  395     0.4KB/s   00:00
  ~> ssh rob@bogus.polacanthus.net
  rob@bogus:~% cp id_rsa.pub .ssh/authorized_keys
  rob@bogus:~% cp id_rsa.pub .ssh/authorized_keys2
  rob@bogus:~% logout
  ~>

Now we are done, and we can now invoke ssh without a password and without a passhprase on our private key. 

  ~> ssh rob@bogus.polacanthus.net -i /mnt/minorfs/priv/home/id_rsa
  rob@bogus:~%
Retrieved from "http://minorfs.polacanthus.net/wiki/Ssh_private_keys_without_passphrase"
Personal tools