Linux – Passwordless SSH not working from terminal as I get prompted for the RSA passphrase

linuxpassphrasersassh

We have set up a CentOS 6.4 box with passwordless SSH to multiple other systems. This works fine when using a terminal as the correct user directly on the CentOS computer. However, if I log into the CentOS box as one of those same users from another system, I get prompted for the RSA key passphrase. Why is this necessary when I am logged on as the correct user?

So, if we have three machines (A, B and C). A has been set up so it can passwordlessly connect to machine B over SSH. That works fine. However, if we SSH into A from machine C, and then from that remote SSH terminal attempt to SSH into B, this requires a password.

Machine A has scripts on it that access several other machines (passwordlessly). We need to be able to remotely log into machine A from Machine C, and then kick off the scripts which access machine B.

Best Answer

Your question is somewhat unclear. It appears that you are using a SSH key, but the SSH key is protected by a passphrase. But then it should actually ask you for that passphrase also when you are logged in directly.

What I would do:

Create a special user (lets call it 'runscripts') on machine A which is used to run the scripts.
For this user create a SSH key which is not encrypted by a passphrase.
Configure sudo to allow "normal" users on machine A to execute these scripts with the user privileges of user 'runscripts' and without having to enter a password.

Here is a complete example how to set this up:

Create a new user which can not be logged into (on my system this will also create a new group with the same name which I will use in the following):

# adduser --disabled-password runscripts

Become this user and create a ssh key. Don't set a passphrase on the key, just press enter on the passphrase prompt.

# su runscripts
$ ssh-keygen

Add the public key (in ~/.ssh/id_rsa.pub) to the authorized_keys on the target machine (machine B in your example), then shortly try the login by SSH key (which will also add the remote public key to the known_hosts, so that it will not prompt again later).

$ ssh remoteuser@remote.host

Back on machine A: Add the normal useraccount(s) to the group:

# adduser kju runscripts

Create some script which will use the SSH key and do something on B:

# cat > /usr/local/bin/script1
#!/bin/sh
echo -n "Running as "
whoami
ssh remoteuser@machineB whoami
^D
# chmod +x /usr/local/bin/script1

Finally allow the users in group runscripts to execute this script as user runscript without a password. This is the line from /etc/sudoers:

%runscripts  ALL=(runscripts) NOPASSWD:/usr/local/bin/script1

Now as one of the users in group runscripts try to run the script:

$ sudo -u runscripts /user/local/bin/script1
Running as user runscripts
remoteuser
$

As you can see from this output, the script was excuted as user runscripts. It then logged into Machine B as user 'remoteuser' and executed the 'whoami' command (which then of course returned 'remoteuser').

Doing it like this has the benefit that nobody shall be able to steal the (unprotected) SSH key because it is only accessible as user runscripts but people can only run the predetermined scripts with this users privileges.

Related Solutions

Linux – ssh-copy-id does not work

9/10 times it's because ~/.ssh/authorized_keys isn't at the right mode.

chmod 600 ~/.ssh/authorized_keys

SSH RSA Key – Do You Need a Passphrase?

As you know, the advantage that the passphrase gives you is that if someone is able to read your private key, they are 'unable' to use it.

If someone is able to access that private key, you should take it for granted that they have access(ed)/compromised whatever machines are set up with the public key. Things like .bash_history or .ssh/config only make this easier, even if your .ssh/known_hosts is obfuscated.

Not having a password on your key isn't the end of the world, here are 3 ideas to try and help you secure yourself a little better despite this. (The biggie is the second, read that if nothing else)

Don't just use the same key across all machines and users. Generate each user on each machine (that needs to do this kind of thing) its own key pair. This will let you keep fine grained control on what is able to ssh where.
When adding the key to your authorized_keys file, you can lock it down to only be able to run a specific command, or use it only from a specific host.

See man ssh and search for command= and from=

The syntax is something like:

from="1.2.3.4",command="/path/to/executable argument" ssh-rsa key name

i.e. pop 'rsync' in there and only 'rsync' could be called by your key, and only from the IP address 1.2.3.4. Multiple IPs can be separated by ,. Host names are also supported.
Another thing that springs to mind is the 'AllowUser' directive in your sshd_config

AllowUsers

This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. '*' and '?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

That basically ensures that the user can only log in from a certain location. (although it accepts wildcards too) Not going to solve all of your problems but it'll at least make it harder for others.

Best Answer

Related Solutions

Linux – ssh-copy-id does not work

SSH RSA Key – Do You Need a Passphrase?

Related Question