Linux.Desktop.Hacks [Electronic resources] نسخه متنی

Hack 36. Konquer Remote Systems Without Passwords

Use some of Konqueror's
powerful protocol connections without being bothered by password
requests.

You might already be familiar
with the
KDE wallet
system. The KDE wallet saves usernames and
passwords for you so that you don't have to enter
them each time you access a site that requires them. You can use the
wallet to store your usernames and passwords for use with the various
protocols available with Konqueror, including FISH, SFTP, etc., but
you still have to type a password to use the wallet each time.

Here's a better way to save yourself the time
involved in typing passwords to access remote sites with the SSH
protocols that Konqueror uses (such as FISH and SFTP).

SSH normally requires a username
and password. But SSH also supports a public and private key
mechanism that lets you bypass the password without opening a
security hole. Here is how the two keys are related. Your private key
gives you access to any remote accounts that already have your
matching public key. But the reverse is not true. Remote users with a
copy of your public key cannot use the public key to access your
account on your local machine.

Suppose you have an account under the username
daggett. Here's how to create an
SSH key that can be used to authenticate your user account on other
systems:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/daggett/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/daggett/.ssh/id_rsa.
Your public key has been saved in /home/daggett/.ssh/id_rsa.pub.
The key fingerprint is:
cd:f5:43:e5:62:16:53:1a:8c:8c:13:3b:5c:28:cc:5b daggett@<yourlocalhost>

Press Enter when prompted for information on where to save the key.
You'll be asked for a passphrase for the account.
Just press Enter all the way through the next series of prompts. This
process creates both a private key and a public key. The SSH key is
saved to the .ssh directory in the example user
daggett's home directory.

You do not want to specify a passphrase. Doing so defeats the purpose of this portion of the hackthat is, to get to the remote home directory without having to type in anything to authenticate your user. If you do specify a passphrase in this process, you will be required to enter that passphrase each time you open a Konqueror file manager view of your remote home directory. The fact that you have the private key on your machine is what is truly providing security for the authentication.

Now you need to copy the public key to the server host. The following
command makes an SSH connection to the remote server
norbert, creates a .ssh
directory in your user's home directory, and sets
read-only permissions on it:

$ ssh  norbert  "mkdir .ssh; chmod 0700 .ssh"
Password:

Type in the password for the user account you are connecting with and
press Enter. Then copy your public key to the newly created
.ssh directory and name it
authorized_keys2 with this command:

$ scp .ssh/id_rsa.pub  norbert :.ssh/authorized_keys2
Password:

Once again, type in the password for the user account on the remote
system and press Enter.

From this point forward, you should be able to enter your equivalent
of the location
sftp://daggett@norbert in Konqueror, and you
should be taken immediately to your home directory on the server
without having to enter a password. Similarly, you should be able to
enter the equivalent of the FISH protocol, such as
fish://daggett@norbert, which will take you
to your home directory on norbert without asking
for a password.

5.3.1. Dealing with Split Personalities

Suppose your username
on the remote server
is different from your username on your local server. Or perhaps you
are an administrator and want to set yourself up with instant access
to another user's account.

The procedure to follow in both of these scenarios is almost
identical because the principle is the same, regardless of the
username on the remote server. As long as the user on the remote
server has your public key stored in the
~/.ssh/authorized_keys2 file, you can log in to
that account without supplying a password.

The only differences in the procedure are that you must supply the
different username during parts of the procedure andmost
important of allyou must know the password for the account on
the server with the username that is different from your username on
your workstation. That is what protects the users on the server from
enabling you to plant your public key in their home directories so
that you'll have free access to their files.

Even if your username on the server is different from your username
on your local machine, you must still create a public and private key
using the ssh-keygen -t
rsa command, and press Enter when prompted for
passwords. If you have already created a public and private key and
you intend to give yourself access to another account to which you
have the proper rights, you can skip that step.

Here's how to deal with the fact that the username
on the server is different from your local username. When you create
the .ssh directory on the remote machine,
specify the remote username in combination with the server name,
separated by the @ symbol. Assume your username on
the server is oxnard. This is the command to
create the directory for oxnard on
norbert:

$ ssh oxnard@norbert "mkdir .ssh; chmod 0700 .ssh"
Password:

Type in the password for the oxnard user account
you are connecting with and press Enter. Then copy your public key to
the newly created .ssh directory and name it
authorized_keys2. Once again, combine the remote
username with the server name, separated by the @
symbol:

$ scp .ssh/id_rsa.pub  oxnard@norbert: .ssh/authorized_keys2
Password:

Now type in the password for the oxnard user
account on the remote system and press Enter.

When you want to access the oxnard account using
the FISH or SFTP protocol from Konqueror, take the same approach as
you did when you used your local username, substituting your remote
username. For example, use
sftp://oxnard@norbert to use SFTP to connect
to your oxnard home directory on the remote
server without using a password, and use
fish://oxnard@norbert to use FISH to connect
to the remote server without using a password.

5.3.2. Make Remote Konqueror Access a Single-Click Operation

It is possible to create an icon on
your desktop to make the entire process a
single-click operation. To do this, right-click the desktop and
select Create NewFileLink to Application. Give
the file a name that suits you. Given the example username and
server, an appropriate name might be program you know as Konqueror. In this case,
you are specifying that the profile it should use is the one for file
management, after which you supply the starting location. You could
just as easily issue a command, such as kfmclient
openProfile webbrowser
http://www.oreilly.com, and that would open the
web browser form of Konqueror and load the location http://www.oreilly.com.