Smooth SSH Passwordless Authentication

Constantinos — Tue, 05 Feb 2008 14:36:17 +0000

This post first appeared on the Voodoo Finance blog which is maintained by my friend Constantinos Michael, and I’m recreating it here with some extensions so I can find the code more easily when I need it.

Using computers remotely is a big part of what I do. Whether I’m at home and need to connect to a computer in the lab, or in the lab or the road and need to connect to my home computer. The way I (and pretty much most other linux users) is through SSH. If you’ve ever had to open more than one ssh connection however, it gets old pretty quickly. First you need to remember the host (and potentially the port, if it’s not standard) of the machine you’re connecting to, and also your username on that machine. After those are typed in, you need to enter your password every time you initiate a new connection. Well, all of the above can be automated with a few quick keystrokes in the terminal.

The first step is to generate an SSH key pair. This private / public key pair will be used to authenticate you on the target machine. As it’s using an RSA key pair, you can probably leave the passphrase empty as the attacker would first need access to your private key. If you’re really paranoid, you can type in an easy password (but you’ll need to type this password in every time you use the key). To generate this key, type the following in a terminal window:

ssh-keygen -t rsa

After this is done, you’re ready to install this key on any remote machine you wish to access. Before you do that however, I suggest setting up some aliases to the target machine so you don’t have to type the host and username every time you wish to log in. To do that, you need to edit (or create) a file called ~/.ssh/config. In this file, you can enter a block of text for each host you wish to create an alias for. You can add as many hosts you want, just make sure there’s an empty line between each configuration. This is an example of what needs to go in this file:

host lab
user admin
HostName www.example.com
port 12345

There are many more options that can go in there, and it mostly depends on your setup. But for anything that you don’t need to specify in the ssh command line, you don’t need to add an option for in this file. For example with the text I provided above, when you type ssh lab in the command line, it will try to connect to www.example.com using the username admin on port 12345. This would be equivalent to typing ssh admin@www.example.com -oPort=12345. Much easier, isn’t it?

Now on to the juicy stuff. Create a script that will install your key on the remote machine. To do that, paste these instructions in the terminal:

sudo touch /usr/bin/ssh-install-key ;
sudo chmod a+w /usr/bin/ssh-install-key
echo "cat ~/.ssh/id_rsa.pub | ssh \${1} \"cat - >> ~/.ssh/authorized_keys\"" \
     > /usr/bin/ssh-install-key
sudo chmod a-w+x /usr/bin/ssh-install-key

At this stage, you’re done with the setup. All you need to do is type

ssh-install-key lab

in the terminal window (assuming you’ve set up the above config file with a host called lab), enter your password as many times as you’re prompted, and you’re done! Every subsequent time you wish to connect to this machine, all you need to do is type ssh lab, and you’re immediately connected, no questions asked! (Unless of course you provided a passphrase for your key pair, in which case you will be prompted for that password).

Bandwidth throttling in OS X

Constantinos — Sat, 19 Jan 2008 14:27:52 +0000

It’s been a while since my last post, and that’s because I’ve been busy with coursework, so I haven’t had time to mess around with OS X. However there was one feature I needed to figure out out of necessity if anything else. I have certain files I wish to freely share with some friends of mine, and the easiest way for me to do that was put them on my local web server and serve them over http. The only problem with this approach, is that the university has a weekly data transfer limit of 5Gb per week during peak hours, those being between 6pm and midnight. Additionally, local traffic doesn’t count towards that limit, and if that limit is exceeded then my Internet would be blocked and limited to only the local network for the remainder of that week.

Therefore, the solution I was looking for would not require me to turn off my web server (as I’d like to still access it locally), and would ideally simply limit the outgoing traffic automatically between those two times.

One aspect that made this particular solution usable, was the fact that port 80 is firewalled from the external world. This means that if I want to run a web server on my local machine accessible from the outside, I have to do it on a different port. Therefore I use port 80 to access the web server locally, and port 8080 to access it from the outside. This gives me a dedicated point of entry for the traffic that I wish to limit the bandwidth.

The solution is fairly simple, and involves only two tools: cron, for enabling and disabling the filter at specific times, and ipfw for actually setting up the filters. The idea is this: create a pipe using ipfw that limits outgoing traffic on port 8080 to a specified rate (let’s say 15KByte/s), and using a cron job add the pipe to my network interface at 6pm, and delete it at midnight. That’s it! Theoretically you only have to create the pipe once, but in order to have this survive across restarts, I added another cron job at 5:59pm that re-creates the pipe. The full contents of the crontab file (located at /etc/crontab) are as follows:

# Set the bandwidth limit at 5:59pm
59 17	* * *	root	/sbin/ipfw pipe 1 config bw 15KByte/s
# Add the bandwidth limit to the specified port at 6:00pm
0 18	* * *	root	/sbin/ipfw add 1 pipe 1 src-port 8080
# Lift the bandwidth limit at 12:00am
0 0	* * *	root	/sbin/ipfw delete 1

The problem with this is if the computer boots up or reboots after 6pm and before midnight, the filters will not be set. The solution is to use anacron for executing the ipfw commands, But as I rarely shut down or reboot my computer, it wasn’t worth it for me to make that happen. If I do make those modifications, I will post an update here. Also note that the ipfw commands need to be executed as root.

Voodoo Programming » Script

Smooth SSH Passwordless Authentication

Bandwidth throttling in OS X