Home > Archive > Fortran > August 2005 > Bypassing SSH/SCP logins with Fortran/Linux
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Bypassing SSH/SCP logins with Fortran/Linux
|
|
| Random Programmer 2005-08-19, 6:56 pm |
| Hello all. I am writing a Fortran program with a master/slave parallel
implementation. Basically one computer (the master) sends calls to
binaries on the slave machines, which process data fed to them and
return the answer to the master node.
All the master/slave nodes will be using Linux in some form; some will
be using SuSE 9.2 (64-bit), others Mandrake 10.1, others Red Hat 9.
I will have physical access to all the computers, and root access to
the master node. The slave nodes are run by my university department's
Comp. Resources Admin, but I should be able to do tweaks to the systems
as long as it doesn't compromise network security or hog too many
resources (so no turning off firewalls, etc.)
I can run the ssh command through a "systemqq" call in Fortran, so it
looks something like:
logical(4) result
result = systemqq("ssh user@192.168.0.1")
The problem is that SSH then asks for the login name/password
interactively, which must be entered via the keyboard. I have tried
creating a text file which enters these values but it doesn't work.
E.g.
result = systemqq("ssh user@192.168.0.1 <run.txt>")
Contents of "run.txt":
let_me_in (Password)
cd /home/user/run
../execute_parallel_binary
Any suggestions on how to get past this? Also, will your suggestions
work for SCPing files around & bypassing the login/password as well?
Thanks.
| |
| Richard E Maine 2005-08-19, 6:56 pm |
| In article <1124487035.917342.284640@f14g2000cwb.googlegroups.com>,
"Random Programmer" <nonexistent2032@yahoo.co.uk> wrote:
> The problem is that SSH then asks for the login name/password
> interactively, which must be entered via the keyboard....
This doesn't really have anything in particular to do with Fortran. The
issues are not specific to running ssh via system() (or qqwhatever(), as
I guess it is called in some compilers).
I could explain here, but it seems simpler to suggest googling on
ssh "no password"
Be sure to put the "no password" part in quotes to get that exact
phrase. (Many things on ssh are going to have the word "password", and
"no" by itself is not likely to be a good search term).
Note that network security people will tell you that *ANY* way of
getting from one computer to another without explicitly typing a
password is a security "issue". It pretty much doesn't matter what the
way is; the capability itself is the issue. Whether it is an important
enough issue to bar the practice in your particular environment and
application is for you and your network/security people to judge; it
depends. That's not a Fortran matter and it is something that I don't
think it proper for me to advise you on in detail. My advise here is
limited to noting that it can be an issue. Having gotten my hand slapped
for such things in the past, I'm conscious of it :-(.
--
Richard Maine | Good judgment comes from experience;
email: my first.last at org.domain | experience comes from bad judgment.
org: nasa, domain: gov | -- Mark Twain
| |
| Rich Townsend 2005-08-19, 6:56 pm |
| Random Programmer wrote:
> Hello all. I am writing a Fortran program with a master/slave parallel
> implementation. Basically one computer (the master) sends calls to
> binaries on the slave machines, which process data fed to them and
> return the answer to the master node.
>
> All the master/slave nodes will be using Linux in some form; some will
> be using SuSE 9.2 (64-bit), others Mandrake 10.1, others Red Hat 9.
>
> I will have physical access to all the computers, and root access to
> the master node. The slave nodes are run by my university department's
> Comp. Resources Admin, but I should be able to do tweaks to the systems
> as long as it doesn't compromise network security or hog too many
> resources (so no turning off firewalls, etc.)
>
> I can run the ssh command through a "systemqq" call in Fortran, so it
> looks something like:
>
> logical(4) result
> result = systemqq("ssh user@192.168.0.1")
>
> The problem is that SSH then asks for the login name/password
> interactively, which must be entered via the keyboard. I have tried
> creating a text file which enters these values but it doesn't work.
> E.g.
>
> result = systemqq("ssh user@192.168.0.1 <run.txt>")
>
> Contents of "run.txt":
> let_me_in (Password)
> cd /home/user/run
> ./execute_parallel_binary
>
>
> Any suggestions on how to get past this? Also, will your suggestions
> work for SCPing files around & bypassing the login/password as well?
This is possible using the public/private key functionality of OpenSSH.
On your local system (the one you are ssh/scp'ing *from*), first create
a public/private key pair:
ssh-keygen -t dsa
Just type enter for the passphrase, to indicate that you want it blank
(you want remote logins *without* being prompted for a password or a
passphrase).
This will create two files in the .ssh directory below your home
directory: 'id_dsa' and 'id_dsa.pub', which contain the private and
public keys respectively.
Copy the public key (id_dsa.pub) to each remote machine you want to
ssh/scp to, storing it in the file 'authorized_keys' within the .ssh
directory. This file can contain any number of keys, one per per line
for each machine that is authorized to ssh in without the need for a
password.
Now, to connect from the local machine to the remote machine, just do
ssh or scp as usual. You should not be prompted for a password.
Note that this example assumes you are using DSA keys. If for some
reason you want to use a (less secure) RSA key, change 'dsa' to 'rsa'.
Before you do any of this, think about any security implications it
might have. If someone cracks your local machine, they have automatic
access to all of the remote machines that hold the local machine's
public key. Richard Maine has already commented on this issue.
cheers,
Rich
cheers,
Rich
| |
| Random Programmer 2005-08-19, 9:56 pm |
| Thanks guys. As always, your input has been very helpful.
| |
| Janne Blomqvist 2005-08-21, 7:56 am |
| Random Programmer wrote:
> Any suggestions on how to get past this? Also, will your suggestions
> work for SCPing files around & bypassing the login/password as well?
In addition to the passwordless ssh keys recommended by others, you
can also use the "expect" tool to script interactive programs.
--
Janne Blomqvist
| |
| Janne Blomqvist 2005-08-21, 7:56 am |
| In article <de5oap$guj$1@scrotar.nss.udel.edu>, Rich Townsend wrote:
> Note that this example assumes you are using DSA keys. If for some
> reason you want to use a (less secure) RSA key, change 'dsa' to 'rsa'.
I'm not so sure about the "less secure" part. See e.g.
http://www.chiark.greenend.org.uk/~...aq.html#faq-dsa
http://www.rsasecurity.com/rsalabs/node.asp?id=2239
Or were you confusing ssh1, which only supports rsa, with ssh2, which
supports both rsa and dsa? ssh1 is less secure than ssh2, but it has
nothing to do with rsa vs. dsa.
In the end, I think it's unlikely that the security of either dsa or
rsa is going to be the weak link in any "normal" system.
--
Janne Blomqvist
| |
| David Frank 2005-08-21, 7:56 am |
|
"Random Programmer" <nonexistent2032@yahoo.co.uk> wrote in message
news:1124487035.917342.284640@f14g2000cwb.googlegroups.com...
> Any suggestions on how to get past this? Also, will your suggestions
> work for SCPing files around & bypassing the login/password as well?
>
> Thanks.
>
Windows WinInet API functions support accessing web pages (hands-off) that
require login/passwords
altho I only briefly tested this in one of my programs and cant say for sure
it works universally.
Google is your friend...
| |
| Rich Townsend 2005-08-21, 6:57 pm |
| Janne Blomqvist wrote:
> In article <de5oap$guj$1@scrotar.nss.udel.edu>, Rich Townsend wrote:
>
>
>
> I'm not so sure about the "less secure" part. See e.g.
>
> http://www.chiark.greenend.org.uk/~...aq.html#faq-dsa
>
> http://www.rsasecurity.com/rsalabs/node.asp?id=2239
>
> Or were you confusing ssh1, which only supports rsa, with ssh2, which
> supports both rsa and dsa? ssh1 is less secure than ssh2, but it has
> nothing to do with rsa vs. dsa.
Yep, I was distinguishing between the -dsa flag to ssh-keygen (ssh2) and
the -rsa flag (ssh1). Thanks for clarifying this.
>
> In the end, I think it's unlikely that the security of either dsa or
> rsa is going to be the weak link in any "normal" system.
It depends on whether one works with the NSA, no?
cheers,
Rich
| |
| Janne Blomqvist 2005-08-22, 3:57 am |
| In article <dea0s9$ora$1@scrotar.nss.udel.edu>, Rich Townsend wrote:
> Yep, I was distinguishing between the -dsa flag to ssh-keygen (ssh2) and
> the -rsa flag (ssh1). Thanks for clarifying this.
Actually, to further nitpick, the -rsa flag creates a rsa key for
ssh2. To create a rsa key for ssh1 you need the -rsa1 flag. For
openssh at least, other implementations might differ.
>
> It depends on whether one works with the NSA, no?
Well, I would classify that and other super-high-security stuff as
outside the realm of "normal", but YMMV.
--
Janne Blomqvist
|
|
|
|
|