Passwordless SSH for Multiple Users, Including Root

Follow these instructions to enable automatic passwordless SSH into MyBookLive for multiple users (in addition to root) . Other techniques posted online only allow you to setup the root account for automatic passwordless SSH, and this can be very limiting and very risky, from a security perspective.

Passwordless SSH for for multiple user accounts could be useful for the following purposes:

  • By using a non-root user, there is greater security. There are security risks if you allow automatic SSH into the MyBookLive root account from a local machine, or a user may accidentally erase data on MyBookLive.
  • This approach would be useful if you want to automatically login to MyBookLive with certain user ids that have limited privileges, such as read-only, only on certain shares (folders).
  • This approach could be used to ensure that the login id in an unattended backup script only has write access access to certain shares / folders.
  • Setup different accounts on your local machine to automatically log into different MyBookLive shares using user ids that only have read privileges on those shares.

At the end of this post, I've attached a script that sets up passwordless SSH for multiple users, so you don't have to do these steps manually.


1) CONFIGURE MYBOOKLIVE FOR PASSWORDLESS SSH


First, login to mybooklive.

$ ssh root@mybooklive.local

Edit /etc/ssh/sshd_config.

$ nano /etc/ssh/sshd_config

Add users in the "# Authentication:" section, after "AllowUsers root", on the same line. Separate users with spaces. The user ids you list here must have previously been created using the MyBookLive web interface.

Example:

AllowUsers root john paul george ringo

Make sure the following lines are uncommented and set to "yes".

RSAAuthentication yes
PubkeyAuthentication yes

Make sure the following line is commented.

#AuthorizedKeysFile     %h/.ssh/authorized_keys

Then add the following line just below it.

AuthorizedKeysFile     .ssh.%u.authorized_keys

Finally, type <CTRL><X>, then <Y>, then <Enter>, to save and exit.

Note that after the above change to AuthorizedKeysFile, public keys stored in /root/.ssh/authorized_keys or /shares/.ssh/authorized_keys will no longer be used.

Restart the ssh service.

$ /etc/init.d/ssh restart

2) GENERATE PUBLIC AND PRIVATE KEYS


Login to your the local machine using a user account for which you would like to enable passwordless SSH to MyBookLive.

Note that this local user does not have ot exist on MyBookLive. However, after completing these instructions, this account will be able to log into MyBookLive as a user that does exist on MyBookLive. (Of course, users that exist on MyBookLive must have previously been created using the web interface).

Open a terminal and enter the following to create public and private keys. Remember to replace all occurences of <mybooklive_user> below with the user id of the user that you want to login as. Again, this must be a user that already esists on MyBookLive, and was added to the AllowUsers section of /etc/ssh/sshd_config. Repeat this step for each user you want to log into MyBookLive as.

ssh-keygen -t rsa -N '' -f ~/.ssh/<mybooklive_user>.mybooklive.local.rsa -C <mybooklive_user>@mybooklive.local

Please note that keys are generated without a passphrase. This is considered less sceure than generating keys using a passphrase, but we do not want to be prompted to enter a pass pharase during automatic login (this would defeat the purpose).

For example, to automatically login to MyBookLive with the user id "ringo", the command will look like this.

ssh-keygen -t rsa -N '' -f ~/.ssh/ringo.mybooklive.local.rsa -C ringo@mybooklive.local

If you would like to enable automatic SSH for the MyBookLive root user, create the public and private keys using the following command.

ssh-keygen -t rsa -N '' -f ~/.ssh/root.mybooklive.local.rsa -C root@mybooklive.local

3) COPY THE PUBLIC KEYS TO MYBOOKLIVE


Make sure you are still logged into your the local machine using a user account for which you would like to enable passwordless SSH to MyBookLive.

Copy only the puplic keys to your MyBookLive using the following command in a terminal. Then append the public key to a file called .ssh.<mybooklive_user>.authorized_keys, set the ownership and permissions for this authorized keys file, and remove the original <mybooklive_user>.mybooklive.local.rsa.pub file. Do the following for each user you want to log into mybooklive as. Be sure to replace <mybooklive_user> below with the user id of the user that you want to login as. Note that you must use the puplic keys (that end in .pub) in this step. You will be required to enter the password for root on MyBookLive.

scp ~/.ssh/<mybooklive_user>.mybooklive.local.rsa.pub root@mybooklive.local:/shares/

ssh root@mybooklive.local "\
cat /shares/<mybooklive_user>.mybooklive.local.rsa.pub >> /shares/.ssh.<mybooklive_user>.authorized_keys; \
chown <mybooklive_user>:share /shares/.ssh.<mybooklive_user>.authorized_keys; \
chmod a-rwx,u=rw /shares/.ssh.<mybooklive_user>.authorized_keys; \
rm /shares/<mybooklive_user>.mybooklive.local.rsa.pub"

(Note that if you already have public keys stored in /shares/.ssh/authorized_keys, these keys will no longer be used. If you need to continue to use them, you can manually append the contents of /shares/.ssh/authorized_keys to /shares/.ssh.<mybooklive_user>.authorized_keys for the appropriate user.)

If you would like to login as the MyBookLive root user, this is a special case, since the public key file for root must be placed in the /root folder. (For other users, the public key file is placed in the /shares folder). To enable passwordless SSH for root, execute the following in a terminal.

scp ~/.ssh/root.mybooklive.local.rsa.pub root@mybooklive.local:/root/

ssh root@mybooklive.local "\
cat /root/root.mybooklive.local.rsa.pub >> /root/.ssh.root.authorized_keys; \
chown root:root /root/.ssh.root.authorized_keys; \
chmod a-rwx,u=rw /root/.ssh.root.authorized_keys; \
rm /root/root.mybooklive.local.rsa.pub"

(Note that if you already have public keys stored in /root/.ssh/authorized_keys, these keys will no longer be used. If you need to continue to use them, you can manually append the contents of /root/.ssh/authorized_keys to /root/.ssh.root.authorized_keys.)


4) VERIFY PUBLIC KEYS ON MYBOOKLIVE


First, login to mybooklive.

$ ssh root@mybooklive.local

Verify, that your authorized key files were created.

ls -la /shares/.ssh*

Your output should look somethig like this. Notice that each user only has read and write permissions to his/her respective authorized_keys file.

-rw------- 1 john     share 1221 Jun  4 23:29 .ssh.john.authorized_keys
-rw------- 1 paul     share  405 Jun  4 19:41 .ssh.paul.authorized_keys
-rw------- 1 george   share 1221 Jun  4 23:29 .ssh.george.authorized_keys
-rw------- 1 ringo    share  405 Jun  4 19:41 .ssh.ringo.authorized_keys

Confirm that the public key signatures match the publiuc keys generated in step 2. You can list the public keys on MyBookLive using the following command.

echo; for file in /shares/.ssh.*; do echo; echo "$file..."; echo; cat $file; done; echo

If you enabled passwordless SSH for the MyBookLive root user, verify, that your authorized key file was created.

ls -la /root/.ssh*

Your output should look somethig like this. Notice that only root has read and write permissions to the authorized_keys file.

-rw------- 1 root      root   1221 Jun  4 23:50 .ssh.root.authorized_keys

For root, confirm that public key signature matches the publiuc key generated in step 2. You can list the public key on MyBookLive using the following command.

cat /root/.ssh*

5) TEST PASSWORDLESS SSH


Make sure you are logged into your the local machine using a user account from which you enabled passwordless SSH to MyBookLive.

Execute the following in a terminal.

$ eval `ssh-agent`

Repeat the following for each user you want to log into MyBookLive as. Note that you must use the puplic key files (that end in .pub) in this step.

$ ssh-add rcp ~/.ssh/<mybooklive_user>.mybooklive.local.rsa

If you want to login as root on mybooklive, execute the following.

$ ssh-add rcp ~/.ssh/root.mybooklive.local.rsa

Finally, test your passwordless SSH logins.

$ ssh <mybooklive_user>@mybooklive.local
$ exit

For example,…

$ ssh john@mybooklive.local
$ exit

$ ssh ringo@mybooklive.local
$ exit

$ ssh paul@mybooklive.local
$ exit

$ ssh root@mybooklive.local
$ exit

6) AUTOMATICALLY LOGIN FROM THE LOCAL MACHINE


After these steps, you shoud be able to automatically login to MyBookLive using all of the users you have setup.
If you encounter an "Agent admitted failure to sign using the key" error, execute the following before trying to SSH into MyBookLive.

Make sure you are logged into your the local machine using a user account from which you enabled passwordless SSH to MyBookLive.

Execute the following in a terminal. (The last line should be repeated for each user; remember to replace <mybooklive_user> with the user id).

$ eval `ssh-agent`
$ ssh-add rcp ~/.ssh/<mybooklive_user>.mybooklive.local.rsa

SCRIPT FOR PASSWORDLESS SSH FOR MULTIPLE USERS


Below is a script to perform the above steps automatically.
The first part of the scritp guides you through the changes you need to make on MyBookLive to actually permit passwordless SSH for your users. You can run this script as many times as you need. The script must be run on the machine you need to connect from. You can run this script on as many machines as you need.

Depending on your Linux distribution and environment settings, after running the script, you may need to setup the environment variables as follows, each time you try to connect automatically. (Alternatively, you could just add this to your .profile file).

eval `ssh-agent`
ssh-add ~/.ssh/<mybooklive_user_id>.mybooklive.local.rsa

To use the script, copy the code below and save it in a file called setup_passwordless_ssh_to_mybooklive.sh. Make the script executable by typing chmod +x ./setup_passwordless_ssh_to_mybooklive.sh. Then execute the script by typing ./setup_passwordless_ssh_to_mybooklive.sh <mybook_user_id>. Remember to replace <mybooklive_user_id> argument with the user id of the user that you want to login as.

#!/bin/bash

# setup_passwordless_ssh_to_mybooklive.sh
# P. Singh (C) 2014
# GPL v3 https://gnu.org/licenses/lgpl.txt

# Usage:   ./setup_passwordless_ssh_to_mybooklive.sh [mybooklive_user_id]
#
#          mybooklive_user_id - The user id on the remote machine that you want
#                               to login as.  This is an optional argument.  If
#                               a remote user id is not supplied, the user id of
#                               the current user on the local machine is used.
#
# Example: ./setup_passwordless_ssh_to_mybooklive.sh
#          ./setup_passwordless_ssh_to_mybooklive.sh mickeymouse
#
# This script sets up passwordless SSH to mybooklive from the current account,
# for the specified user id, or for the local user id, if no remote MyBookLive
# user id is specified.
#
# Before executing this script, make sure you have enabled SSH on your
# MyBookLive using the web interface.  You will be required to enter the
# MyBookLive root user password three times as this script runs.
#
# You must execute this script from the account of the user on the local host
# who should get passwordless access to MyBookLive.
#
# This script performs the following steps:
#
# Step 1: Provide instructions to configure MyBookLive for passwordless SSH for
#         multiple users.
# Step 2: Generate public and private keys using ssh-key-gen on the local host.
# Step 3: Copy the generated public key to MyBookLive.
# Step 4. Test passwordless SSH to MyBookLive.

################################################################################
# GET THE MYBOOKLIVE USER ID INPUT                                             #
################################################################################

# Check if a user id was supplied.
if [ -z "$1" ]; then
    # A remote user id was not supplied.
    # Public and private keys will be created using the current user id.
    mybooklive_user_id=`whoami`
    echo
    echo "A user id was not supplied, so passwordless SSH to MyBookLive will be setup for user id $mybooklive_user_id."
else
    # A remote user id was supplied.
    # Public and private keys will be created using the supplied remote user id.
    mybooklive_user_id=$1
    echo
    echo "Passwordless SSH to MyBookLive will be setup for user id $mybooklive_user_id."
fi

# Check if a user id is root
if [ "$mybooklive_user_id" = "root" ]; then
    # If the user id is root, then set the home folder to /root.
    home_folder="root"
else
    # If the user id is not root, then set the home folder to /shares.
    home_folder="shares"
    echo "In the next step, ensure that $(tput setaf 1)$mybooklive_user_id$(tput sgr0) is listed in the AllowUsers section of /etc/ssh/sshd_config."
fi

################################################################################
# (1) CONFIGURE MYBOOKLIVE FOR PASSWORDLESS SSH                                #
################################################################################

echo
echo "$(tput bold)Configure MyBookLive as follows...$(tput sgr0)"
echo
echo "1. Add SSH users and specify the location to search for authorized keys."
echo
echo "   $ $(tput setaf 2)nano /etc/ssh/sshd_config$(tput sgr0)"
echo
echo "     a. Ensure that $mybooklive_user_id is added to the list of SSH users; for example:"
echo
if [ "$mybooklive_user_id" = "root" ]; then
    echo "        $(tput setaf 2)AllowUsers root john paul george ringo$(tput sgr0)"
else
    echo "        $(tput setaf 2)AllowUsers root john paul george ringo $mybooklive_user_id$(tput sgr0)"
fi
echo

echo "     b. Ensure the existing AuthorizedKeysFile line is commented-out as shown:"
echo
echo "        $(tput setaf 2)#AuthorizedKeysFile     %h/.ssh/authorized_keys$(tput sgr0)"
echo
echo "     c. Add a new entry for AuthorizedKeysFile immediately below it, as shown:"
echo
echo "        $(tput setaf 2)AuthorizedKeysFile     .ssh.%u.authorized_keys$(tput sgr0)"
echo
echo "     d. Save changes..."
echo
echo "        $(tput setaf 2)<CTRL><x>, <y>, <Enter>$(tput sgr0)"
echo
echo "2. Restart the SSH service."
echo
echo "   $ $(tput setaf 2)/etc/init.d/ssh restart$(tput sgr0)"
echo "$(tput sgr0)"
echo "Please enter the $(tput setaf 1)MyBookLive root$(tput sgr0) user password to log into MyBookLive."
echo "Perform the steps shown above, and then type $(tput setaf 1)exit$(tput sgr0) to continue."
echo
ssh root@mybooklive.local

################################################################################
# (2) GENERATE PUBLIC AND PRIVATE KEYS                                         #
################################################################################

echo
echo "$(tput bold)Generating the public and private keys for $mybooklive_user_id...$(tput sgr0)"
echo
rm -rf ~/.ssh/$mybooklive_user_id.mybooklive.local.rsa*
ssh-keygen -t rsa -N '' -f ~/.ssh/$mybooklive_user_id.mybooklive.local.rsa -C "`whoami`@`hostname`.local to $mybooklive_user_id@mybooklive.local"
echo
echo "."; sleep 1; echo "."; sleep 1; echo "."
echo "Generated public  key: ~/.ssh/$mybooklive_user_id.mybooklive.local.rsa.pub"
echo "Generated private key: ~/.ssh/$mybooklive_user_id.mybooklive.local.rsa"
echo

################################################################################
# (3) COPY THE PUBLIC KEY TO MYBOOKLIVE                                        #
################################################################################

echo
echo "$(tput bold)Copying the public key for user $mybooklive_user_id to MyBookLive...$(tput sgr0)"
echo
echo "Please enter the $(tput setaf 1)MyBookLive root$(tput sgr0) user password."
scp ~/.ssh/$mybooklive_user_id.mybooklive.local.rsa.pub root@mybooklive.local:/$home_folder/
echo
echo "."; sleep 1; echo "."; sleep 1; echo "."
echo "Finished copying the public key for $mybooklive_user_id to MyBookLive."
echo
echo
echo "$(tput bold)Adding the public key for user $mybooklive_user_id to MyBookLive...$(tput sgr0)"
echo
echo "Please enter the $(tput setaf 1)MyBookLive root$(tput sgr0) user password (again)."
ssh root@mybooklive.local "\
cat /$home_folder/$mybooklive_user_id.mybooklive.local.rsa.pub >> /$home_folder/.ssh.$mybooklive_user_id.authorized_keys; \
chown $mybooklive_user_id:share /$home_folder/.ssh.$mybooklive_user_id.authorized_keys; \
chmod a-rwx,u=rw /$home_folder/.ssh.$mybooklive_user_id.authorized_keys; \
rm /$home_folder/$mybooklive_user_id.mybooklive.local.rsa.pub"
echo "."; sleep 1; echo "."; sleep 1; echo "."
echo
echo "Finished adding the public key for $mybooklive_user_id to MyBookLive."
echo

################################################################################
# (4) TEST PASSWORDLESS SSH                                                    #
################################################################################

echo
echo "$(tput bold)Testing automatic SSH on MyBookLive...$(tput sgr0)"
echo
echo "You will automatically be logged into MyBookLive as user $mybooklive_user_id without being requested to enter a password."
echo "If the test is successful, you will need to type $(tput setaf 1)exit$(tput sgr0) to logout of MyBookLive."
echo
echo "."; sleep 1; echo "."; sleep 1; echo "."
eval `ssh-agent`
ssh-add ~/.ssh/$mybooklive_user_id.mybooklive.local.rsa
echo
ssh $mybooklive_user_id@mybooklive.local
echo
echo "$(tput bold)Done setting up passwordless SSH to MyBookLive for user $mybooklive_user_id from local account `whoami`.$(tput sgr0)"
echo
echo "You can re-run this script to enable passwordless SSH to other user accounts on MyBookLive."
echo
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License