1

I have two machines: Host1 and Host2 that are connected to the public internet but they are also connected through a private LAN (so both hosts have a public IP and a private IP).
- Host1: 192.168.0.1
- Host2: 192.168.0.2

I need to automate an SSH session from Host1 to Host2 (i.e. no password prompt). But due to security reasons I need this (the automated login) to work just for a specific user trying to connect through the private LAN only.

For example:
if user john@Host2 is trying to connect from Host1 through the private LAN (i.e. the connection is coming from 192.168.0.1), then allow that connection to use some sort of authentication key and don't prompt for a password.
If the connection is not coming from the private LAN, then don't allow an automated login (i.e. a password must be entered).

I'll appreciate some detailed directions on how to set this up.
Thanks.

Followup:

Looking at the links given, what I've seen so far is that every solution requires to manually enter some kind of security key either at login time (for the ssh-agent thing) or after rebooting the machine (when using keychain).

Is it actually possible to automate an SSH session that works no matter if the machine has been rebooted or not?

I'm starting to believe the only way is automatically entering the password using some tool when SSH requests it... and problem solved.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
GetFree
  • 1,460
  • 7
  • 23
  • 37

3 Answers3

2

To answer your followup question, if you create your SSH keypair without a password, then you would not need to enter the password to connect the servers.

You would add the pubkey in .authorized_keys according to this paragraph:

Key Access Limits

As an optional step to limit usage of the public key for access to any servers, a from statement can be used before public key entries in the ~/.ssh/authorized_keys file on the servers to limit where the client system is permitted to access the server from. Without a from limit, any client system with the appropriate private key data will be able to connect to the server from anywhere. If the keypair should only work when the client system is connecting from a host under example.org, set from="*.example.org" before the public key data.

server$ cat ~/.ssh/authorized_keys
from="*.example.org" ssh-rsa AAAAB3NzaC1…

In the "from" you would put your local interface IP address(es). Using that plus a combination of using an ssh key without a password (which is not best practices, but for most systems will work fine), will accomplish what you are looking for.

Dave Drager
  • 8,315
  • 28
  • 45
  • That seems to be the less unsecure solution so far. What vulnerabilities would it have if I dont limit the use of the key to a specific IP?? – GetFree Sep 18 '09 at 23:10
  • If you don't limit the "from" part, then any client which has your private key file would be able to log into the system. The "from" line is to add the security of limiting which hosts can use that key, so that if for some reason it "gets out" then unless they are connecting from a host in the "from=" line, the key would be useless. – Dave Drager Sep 21 '09 at 12:56
1

This can be done using ssh keys.

How do you setup ssh to authenticate using keys instead of a username / password?

Community
  • 1
theotherreceive
  • 8,235
  • 1
  • 30
  • 44
1

You can limit the accteptable address from where a key-based login can be used.

See the section on Key Access Limits here.

Sven
  • 97,248
  • 13
  • 177
  • 225