Team LiB
Previous Section Next Section

Hack 36. Konquer Remote Systems Without Passwords

Use some of Konqueror's powerful protocol connections without being bothered by password requests.

You might already be familiar with the KDE wallet system. The KDE wallet saves usernames and passwords for you so that you don't have to enter them each time you access a site that requires them. You can use the wallet to store your usernames and passwords for use with the various protocols available with Konqueror, including FISH, SFTP, etc., but you still have to type a password to use the wallet each time.

Here's a better way to save yourself the time involved in typing passwords to access remote sites with the SSH protocols that Konqueror uses (such as FISH and SFTP).

SSH normally requires a username and password. But SSH also supports a public and private key mechanism that lets you bypass the password without opening a security hole. Here is how the two keys are related. Your private key gives you access to any remote accounts that already have your matching public key. But the reverse is not true. Remote users with a copy of your public key cannot use the public key to access your account on your local machine.

Suppose you have an account under the username daggett. Here's how to create an SSH key that can be used to authenticate your user account on other systems:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/daggett/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/daggett/.ssh/id_rsa.
Your public key has been saved in /home/daggett/.ssh/id_rsa.pub.
The key fingerprint is:
cd:f5:43:e5:62:16:53:1a:8c:8c:13:3b:5c:28:cc:5b daggett@<yourlocalhost>

Press Enter when prompted for information on where to save the key. You'll be asked for a passphrase for the account. Just press Enter all the way through the next series of prompts. This process creates both a private key and a public key. The SSH key is saved to the .ssh directory in the example user daggett's home directory.

You do not want to specify a passphrase. Doing so defeats the purpose of this portion of the hackthat is, to get to the remote home directory without having to type in anything to authenticate your user. If you do specify a passphrase in this process, you will be required to enter that passphrase each time you open a Konqueror file manager view of your remote home directory. The fact that you have the private key on your machine is what is truly providing security for the authentication.


Now you need to copy the public key to the server host. The following command makes an SSH connection to the remote server norbert, creates a .ssh directory in your user's home directory, and sets read-only permissions on it:

$ ssh  norbert  "mkdir .ssh; chmod 0700 .ssh"
Password:

Type in the password for the user account you are connecting with and press Enter. Then copy your public key to the newly created .ssh directory and name it authorized_keys2 with this command:

$ scp .ssh/id_rsa.pub  norbert :.ssh/authorized_keys2
Password:

Once again, type in the password for the user account on the remote system and press Enter.

From this point forward, you should be able to enter your equivalent of the location sftp://daggett@norbert in Konqueror, and you should be taken immediately to your home directory on the server without having to enter a password. Similarly, you should be able to enter the equivalent of the FISH protocol, such as fish://daggett@norbert, which will take you to your home directory on norbert without asking for a password.

5.3.1. Dealing with Split Personalities

Suppose your username on the remote server is different from your username on your local server. Or perhaps you are an administrator and want to set yourself up with instant access to another user's account.

The procedure to follow in both of these scenarios is almost identical because the principle is the same, regardless of the username on the remote server. As long as the user on the remote server has your public key stored in the ~/.ssh/authorized_keys2 file, you can log in to that account without supplying a password.

The only differences in the procedure are that you must supply the different username during parts of the procedure andmost important of allyou must know the password for the account on the server with the username that is different from your username on your workstation. That is what protects the users on the server from enabling you to plant your public key in their home directories so that you'll have free access to their files.

Even if your username on the server is different from your username on your local machine, you must still create a public and private key using the ssh-keygen -t rsa command, and press Enter when prompted for passwords. If you have already created a public and private key and you intend to give yourself access to another account to which you have the proper rights, you can skip that step.

Here's how to deal with the fact that the username on the server is different from your local username. When you create the .ssh directory on the remote machine, specify the remote username in combination with the server name, separated by the @ symbol. Assume your username on the server is oxnard. This is the command to create the directory for oxnard on norbert:

$ ssh oxnard@norbert "mkdir .ssh; chmod 0700 .ssh"
Password:

Type in the password for the oxnard user account you are connecting with and press Enter. Then copy your public key to the newly created .ssh directory and name it authorized_keys2. Once again, combine the remote username with the server name, separated by the @ symbol:

$ scp .ssh/id_rsa.pub  oxnard@norbert: .ssh/authorized_keys2
Password:

Now type in the password for the oxnard user account on the remote system and press Enter.

When you want to access the oxnard account using the FISH or SFTP protocol from Konqueror, take the same approach as you did when you used your local username, substituting your remote username. For example, use sftp://oxnard@norbert to use SFTP to connect to your oxnard home directory on the remote server without using a password, and use fish://oxnard@norbert to use FISH to connect to the remote server without using a password.

5.3.2. Make Remote Konqueror Access a Single-Click Operation

It is possible to create an icon on your desktop to make the entire process a single-click operation. To do this, right-click the desktop and select Create NewFileLink to Application. Give the file a name that suits you. Given the example username and server, an appropriate name might be Home@Norbert. Click the icon next to the of the name field to choose an icon image that suits you.

Then click the Application tab, and enter the following into the Command field (substituting your name and your server name, of course):

kfmclient openProfile filemanagement sftp://
daggett@norbert

From now on, whenever you want to manage your home directory files on the server, just click the icon you just created. A Konqueror file manager window should pop up with the remote files ready to be accessed and managed.

kfmclient is actually the program you know as Konqueror. In this case, you are specifying that the profile it should use is the one for file management, after which you supply the starting location. You could just as easily issue a command, such as kfmclient openProfile webbrowser http://www.oreilly.com, and that would open the web browser form of Konqueror and load the location http://www.oreilly.com.

    Team LiB
    Previous Section Next Section