Configure the Secure Shell (ssh) for Passwordless Login
What is the purpose ?
You will want to:- It is more secure to type a long passphrase once than a shorter password often
- It is more convenient to login or copy files without quoting a password
- You can keep a different secure & cryptic password for each machine without having to remember it each time
The Big Picture
- You generate a secure public key with it's matching private key. The private key is protected by a long passphrase that only you know.
The public key only works with messages generated from your private key. - You install the public key on other (remote) machines.
- You prove who your are to your local machine by typing your private key.
- You connect to a remote machine using your private key.
- The remote machines know that it must be you since only you know the private part of the key.
There are a few practical details, but it is that simple.
In what follows there are two machines talked about:
- W=Workstation, the machine with the keyboard that you use to connect to other machines;
- S=Server, the remote machine that you want to login to; there will probably be several machines like this
It is worth working hard today to learn the above and so be lazy tomorrow.
Initial setup
Generate the public/private keys, do this on your Workstation:W$ ssh-keygen -t dsaThis will ask you for a passphrase that you later given to
ssh-add.
It will create in your
.ssh directory:
-
id_dsa- this contains your private key, to be kept secret -
id_dsa.pub- this contains your public key that you give to remote machines
You need to arrange that a ssh-agent program is started when you login and that it is known to the commands that you type.
Since you may login on a plain console or via X (a GUI) you need to configure this twice in files in
your HOME directory on your workstation.
Add to your .bash_profile on your workstation:
# So that ssh will work, take care with X logins - see .xsession [[ -z $SSH_AGENT_PID && -z $DISPLAY ]] && exec -l ssh-agent $SHELL -c "bash --login"
Add to your .xsession on your workstation:
#!/bin/sh # This is called from /etc/X11/xdm # Run ssh-agent (so that all children have $SSH_??? set) and then run the clients or xsession manager. # -l is a bashism, so this assumes that /bin/sh is really bash, if not just remove -l. xsm=xsm [ -x /etc/X11/xinit/Xclients ] && xsm=/etc/X11/xinit/Xclients [ -x $HOME/.Xclients ] && xsm=$HOME/.Xclients exec -l ssh-agent $SHELL -c "$xsm" # should never get here; failsafe fallback echo "Whoops! exec of '$xsm' failed from '$0'" >> .xsession-errors exec -l $SHELL -c "xterm -geometry 80x24-0-0" echo "Arrrgh! exec of 'xterm' failed from '$0'" >> .xsession-errors exit 2
Setup for every Server that you connect to
Copy your private key from your workstation into yourHOME directory on the remote machine:
W$ scp ~/.ssh/id_dsa.pub S:.ssh/id_dsa.W
Login to the server S, you need to append your public key to your authorized_keys file:
S$ cat ~/.ssh/id_dsa.W >> ~/.ssh/authorized_keys S$ rm ~/.ssh/id_dsa.W S$ chmod 600 ~/.ssh/authorized_keys S$ chmod 700 ~/.sshNote the 'z' in
authorized_keys.
You may need to edit
.ssh/id_dsa.W so that the name YourLogin@workstation.example.com at the end of
the line matches the name that is seen when you connect to the server.
Day to day use of ssh
Every time after you login to your workstation you must prove who you are to yourssh-agent, the ssh-add
program will talk to your ssh-agent:
W$ ssh-addWhen it prompts you, you type the passphrase that you typed to
ssh-keygen.
You do not need to do this again unless you logout of your workstation.
To login to another machine from your workstation:
W$ ssh -X server.example.comThe
-X option will allow you to run X (GUI) applications on the server and have them display on your workstation,
the X traffic will be encrypted by ssh.
To copy a file to another machine:
W$ scp SomeFile.txt server.example.com: W$ scp SomeFile.txt server.example.com:/tmp W$ scp SomeFile.txt server.example.com:/tmp/FileFromWorkstation.txtThe first copies to your home directory on the remove machine.
Note that the trailing colon (':') is very much needed.
You may find this of interest: Speeding up SSH logins
If you want any help using the above, or have any comments or suggestions, please contact us.