Passwordless SSH logins
Code and Classes and Research ~
Favorite Links ~
There are a few cases where having passwordless access to a machine is
convenient or necessary. I'm always looking up a series of commands that I can
just copy and paste to do it right quick. Here they are.
- Generate your key pair - One of the login modes of ssh is to use a
SSH key pair. A key pair is made up of both a private and a public key. The
private key is kept on your local machine while your public key is what you
distribute to all the machines you want to log in to. There are a few flavors
of keys you can generate, rsa1 (for SSH1), dsa (SSH2), or rsa (SSH2).
According to my IT guy he likes DSA. You can (and should) associate a password
with your key pair, so that only you can use it even if someone else manages to
gain access to your account. If you have more than one key pair, using the
same password for all key pairs will make them all active at the same time.
You can also vary the number of bits used for the key. The more bits you use
the harder it will be to crack, but I believe at a nominal performance drop. I
was recommended to use 2048 bits. Very well, 2048 bit DSA key it is.
ssh-keygen -t dsa -b 2048
# Type in strong password
If for some reason you need an rsa key, you can just replace the type with the
appropiate argument, -t rsa or -t rsa1.
NOTE: You need to make sure the permissions of the files in this directory are
set to allow read/write for the user only (-rw------- or chmod 600 *).
The most important files to do this for are the authorized_keys and private
keys files. Sometimes logging in will silently fail if you don't have the
permissions set correctly.
- Copy public key to remote machine - Once you made your key pair, you
should copy your public key to the remote machine preferably using an encrypted
method such as scp and add it to your .ssh/authorized_keys file. You can do
this with a single command.
cat ~/.ssh/id_dsa.pub | ssh email@example.com 'cat >> .ssh/authorized_keys'
# If you need to make a .ssh directory on the remote machine
cat ~/.ssh/id_dsa.pub | ssh firstname.lastname@example.org 'mkdir .ssh; cat >> .ssh/authorized_keys'
- SSH Agent - Now that you have a pair, you can try logging into
the remote machine as you normally would. You will be prompted for your key
pair password. If you left it blank when you created your keys you may simply
press enter (and SHAME on you). If you press enter at this point and you had a
password you will then be prompted for your remote account password. You can
avoid having to do this by using ssh-agent. This will allow you to type in
your password for the key pair once on a given machine and reuse it over and
over again. ssh-agent stores information about your keys in the memory of that
system, so if you move to another system or the machine is rebooted you will
have to run ssh-agent again. ssh-agent also will output some environment
variables that you can use to gain access to the keys in memory. I have a
couple of aliases that help me out with this. One thing to consider is adding
a time limit to how long your keys will be active in memory. If you want them
to last for only a day you can add -t 86400 (those are seconds) to
your ssh-agent command.
# For tcsh
# Activates the key pairs and stores some helper files. Run this once per
# machine you want to log from.
alias agent 'rm -f "$HOME"/.ssh/`hostname`.agent ; ssh-agent -t 86400 | grep -v echo > "$HOME"/.ssh/`hostname`.agent ; source "$HOME"/.ssh/`hostname`.agent ; ssh-add'
# Run this in any shell after 'agent' to "activate" the keys.
alias sshagent 'if (-e "$HOME"/.ssh/`hostname`.agent) source "$HOME"/.ssh/`hostname`.agent ; endif'
# For bash
alias agent='rm -f "$HOME"/.ssh/`hostname`.agent ; ssh-agent -t 86400 | grep -v echo > "$HOME"/.ssh/`hostname`.agent ; source "$HOME"/.ssh/`hostname`.agent ; ssh-add'
alias sshagent='if [ -e "$HOME"/.ssh/`hostname`.agent ]; then source "$HOME"/.ssh/`hostname`.agent ; fi'
Now you should simply be able to run agent once on the machine, and
then sshagent once per shell. You can then log into the remote
machine without having to type in a password. If your ssh agent expires
(you'll know, because you'll be propted for your password), then run
- Root access - You can also give users the ability to log into the
machine as root without having to give the root password out. Just add the
users public key to list of root's authorized_keys, and then the user can log
into the machine using root as the user name.
# Admin does
cat ~user/.ssh/id_dsa.pub | ssh email@example.com 'cat >> .ssh/authorized_keys'
# User does
sshagent; ssh firstname.lastname@example.org
# Or by typing the key pair's password
It is recommended that once you have the ability to log in remotely as root
with keys, you should disable password-based logins via ssh by making sure the
following line is in /etc/ssh/sshd_config: