HOWTO SSH without a password
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
The following instructions describe how to setup your SSH server to accept password free logins.
You can follow Ssh-agent guide or section below on ssh-agent for using passwordless login without compromising security.
[edit] Client setup
As there exists two version of the SSH protocol, version 1 and 2, the identities are tied to the protocol version. Most SSH-servers use version 2 of the protocol due to the limitations of version 1.
List over protocols and their identity types:
| Protocol | Type | Commandline |
|---|---|---|
| Version 1 | RSA1 | -t rsa1 |
| Version 2 | RSA | -t rsa |
| Version 2 | DSA | -t dsa |
After determining which identity type you want it is time to create your private and public ssh keys (in the article we use DSA encryption), on the client machine type:
$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/gerard/.ssh/id_dsa):
The default location is fine, so just press <enter>
Enter passphrase (empty for no passphrase):
Enter a passphrase or press <enter> again for an empty passphrase.
You can follow Ssh-agent guide for using passwordless login without compromising security.
Enter same passphrase again:
Press <enter> again
key fingerprint is: 6f:c5:86:c7:67:69:02:1a:e4:a9:20:e6:16:13:5d:e5 username@host
That process created two files in ~/.ssh:
| File: Contents of ~/.ssh |
-rw------- 1 bob users 668 Jun 17 23:52 id_dsa -rw-r--r-- 1 bob users 602 Jun 17 23:52 id_dsa.pub |
[edit] Server setup
The file named id_dsa.pub is your public key, which you should copy to the server (here referred to as remotebox). The file should be appended to a file named ~/.ssh/authorized_keys on the server.
Copy and install the id_dsa.pub file to the remote system:
$ ssh-copy-id -i ~/.ssh/id_dsa.pub username@remotebox
[edit] Client & Server Setup (Alternative with ssh-installkeys)
This part describes how to use the ssh-installkeys tool. It will do the steps explained above automatically. First install ssh-installkeys:
$ echo "net-misc/ssh-installkeys" >> /etc/portage/package.keywords $ emerge -av net-misc/ssh-installkeys
And run it:
$ ssh-installkeys username@remotebox
ssh-installkeys will do all needed task to setup the local keyfiles and the remote login, which includes:
- creating a keypair on the local system (if there is none)
- logging into the remote system (the password is needed)
-
addingthe publickey to the remote system's ~/.ssh/authorized_keys - checking and adjusting the security settings of the local and remote ssh files.
[edit] Alternative to keychains: Using ssh-agent
| Note: You can look at Ssh-agent guide for more on this topic |
Using ssh-agent, your computer will store your private keys in memory for the duration of your session, or for a fixed time (if desired - see man ssh-add). It is intended for users who protect their keys with a passphrase, and allows the passphrase to be entered in once only: when the key is added to the agent. This setup is infinitely more secure than making a key with an empty passphrase (assuming you don't leave the session open for someone else to use, of course). To use ssh-agent, you commonly invoke it in one of two ways:
1. You can tell ssh-agent to create a child process (such as an X or Konsole session), and it will terminate automatically when the child process exits:
For example, in your .xinitrc:
| File: ~/.xinitrc |
exec /usr/bin/ssh-agent startkde |
...or as an alias to konsole (or put this in the application line of the icon):
| File: ~/.bashrc |
alias konsole="/usr/bin/ssh-agent /usr/kde/x.x/bin/konsole" |
Gnome users are already running their session through ssh-agent if they use GDM.
2. You can invoke ssh-agent manually at the prompt:
$ eval `ssh-agent`
Once you have started ssh-agent or verified that it is running, add your keys with ssh-add:
$ ssh-add Enter passphrase for /home/<you>/.ssh/id_rsa: Identity added: /home/<you>/.ssh/id_rsa (/home/<you>/.ssh/id_rsa)
Without arguments, ssh-add adds some default keys (if they exist): ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/identity. If you have additional keys with other names, specify the files on the command line:
$ ssh-add ~/.ssh/gentoo_id_dsa
If you want ssh-agent to discard your key from memory after a time, specify the key's lifetime with the -t option:
$ ssh-add -t 2h ~/.ssh/sourceforge_id_rsa
See man sshd_config for time formats.
That's it. ssh-agent will supply your private keys to your SSH client processes whenever they are needed to authenticate with a server, without prompting for your passphrase each time. This is especially useful for scripting using SSH and running commands on multiple hosts.
[edit] Testing
$ ssh -l username remotebox Last login: Thu Jun 17 23:55:36 2004 from 192.168.34.2 $
If the system did not query you for a password everything is working properly. If it did not work check your sshd_config file. The following options should be set:
| File: /etc/ssh/sshd_config |
# Allow Identity Auth for SSH1? RSAAuthentication yes # Allow Identity Auth for SSH2? PubkeyAuthentication yes |
Now repeat the Server-part for every server you want to be able to login into without specifying the password.
You can add the following line to your ~/.bashrc to be able to have root access to your box without having to give your root password.
| File: ~/.bashrc |
alias root="ssh -l root 127.0.0.1" |
Be carefull with this, cause anyone with access to your box will be able to issue this command!
