Parliament Hill Computers LtdParliament Hill Computers Ltd

HOWTO: ssh & scp: setup password-less login

Configure the Secure Shell (ssh) for Passwordless Login

What is the purpose ?

You will want to:

The Big Picture

  1. You generate a secure public key with its matching private key. The private key is protected (locked) by a long passphrase that only you know.
    The public key only works with messages generated from your private key.
  2. You install the public key on other (remote) machines.
  3. You prove who your are to your local machine by typing your private passphrase, this unlocks your private key.
  4. Your local machine connects to a remote machine using your unlocked private key.
  5. The remote machines know that it must be you since only you know the passphrase to unlock private part of the key.
  6. You use the same public keys for all remote machines (servers that you connect to).

There are a few practical details, but it is that simple.

In what follows there are two machines talked about:

You will make your life easier if you have the same username on both machines.

It is worth working hard today to learn the above and so be lazy tomorrow.

Key algorithm types

These are the different ways that the client authenticates itself to the server. What is recommended has changed over time; but older servers might not support newer algorithms. With some you can change the key length (-b option) ‐ bigger is better but slower.

For more comments

Initial setup

Generate the public/private keys, do this on your Workstation:

W$ ssh-keygen -t rsa -b 3072
W$ ssh-keygen -t ed25519

This will ask you for a passphrase that you later given to ssh-add.
It will create in your .ssh directory:

(The file names reflect the key type)

Above is shown for two key types, do for all types that you need ‐ use the same passphrase for all of them.

You need to arrange that a ssh-agent program is started when you login and that it is known to the commands that you type. Since you may login on a plain console or via X (a GUI) you need to configure this twice in files in your HOME directory on your workstation.

Add to your .bash_profile on your workstation:

# So that ssh will work, take care with X logins - see .xsession
[[ -n $SHELL && -z $SSH_AGENT_PID && -z $DISPLAY ]] &&
	exec -l ssh-agent $SHELL -c "bash --login"

You might need to modify your workstation's .xsession ‐ on older systems where you are running xdm.
Try this without modifying .xsession, add it later if it does not work.

# This is called from /etc/X11/xdm
# Run ssh-agent (so that all children have $SSH_??? set) and then run the clients or xsession manager.
# -l is a bashism, so this assumes that you are running bash, if not just remove -l.

[ -x /etc/X11/xinit/Xclients ] && xsm=/etc/X11/xinit/Xclients
[ -x $HOME/.Xclients ] && xsm=$HOME/.Xclients

exec -l ssh-agent $SHELL -c "$xsm"

# should never get here; failsafe fallback
echo "Whoops! exec of '$xsm' failed from '$0'" >> .xsession-errors

exec -l $SHELL -c "xterm -geometry 80x24-0-0"
echo "Arrrgh! exec of 'xterm' failed from '$0'" >> .xsession-errors

exit 2

Setup for every Server that you connect to

The easy way is to run the command:

W$ ssh-copy-id S


W$ ssh-copy-id
W$ ssh-copy-id

You will need to use the second form if your username is different on the two machines.

If ssh-copy-id is not available on your machine (it is newish), you will need to do this by hand:
Copy your public key from your workstation into your HOME directory on the remote machine:

W$ scp ~/.ssh/ ~/.ssh/ S:~

Login to the server S, you need to append your public key to your authorized_keys file:

S$ cat ~/ >> ~/.ssh/authorized_keys
S$ cat ~/ >> ~/.ssh/authorized_keys
S$ rm ~/ ~/
S$ chmod 600 ~/.ssh/authorized_keys
S$ chmod 700 ~/.ssh

Note the 'z' in authorized_keys.
You may need to edit .ssh/ so that the name at the end of the line matches the name that is seen when you connect to the server.

Day to day use of ssh

If you have not got ssh-agent running (via .bash_profile or .xsession as above) you start it:

W$ ssh-agent bash

Every time after you login to your workstation you must prove who you are to your ssh-agent, the ssh-add program will talk to your ssh-agent:

W$ ssh-add

When it prompts you, you type the passphrase that you typed to ssh-keygen.
You do not need to do this again unless you logout of your workstation.

To login, using the same username, to another machine from your workstation:

W$ ssh -X

The -X option will allow you to run X (GUI) applications on the server and have them display on your workstation, the X traffic will be encrypted by ssh.

To copy a file to another machine:

W$ scp SomeFile.txt
W$ scp SomeFile.txt
W$ scp SomeFile.txt

The first copies to your home directory on the remove machine.
Note that the trailing colon (':') is very much needed.

It helps if you have the same usernames on all machines, but if you can't manage this you put server_username@ before the other machine name, eg:

W$ ssh -X
W$ scp SomeFile.txt

If it doesn't work ...

A few things to check:

Your private ssh configuration file

You can, but don't have to, put individual machine options into your own configuration file. Most of the time you do this to save yourself typing, not infrequently remove servers need special options.
Create a plain text file called .ssh/config, it should not be writable by anyone else:

W$ touch ~/.ssh/config
W$ chmod 600 ~/.ssh/config

Entries in there begin with Host nick-name, this allows you to use nick-name for the remote server instead of its probably longer name. You can also have generic options, but I am not talking about that.

Useful options in the configuration file

Example showing all of the above (but you only use the ones that you need):

Host web-server
        Port 2020
        User alainw
	ForwardX11 yes

To connect using the nick-name:

W$ ssh web-server

Want to have different options for different servers, just add a new set with the Host option.

Other things of interest

License and copyright

All description & sample files copyright (c) 2008, 2013, 2020, 2023 Parliament Hill Computers. Author: Alain D D Williams.

You may used these files as the basis your own (or organisation's/company's) project(s) (under whatever licence that you see fit). You may not claim ownership or copyright of any substantially unmodified files. Acknowledgement would be appreciated, but is not necessary.

These demonstrations are made available in the hope that they are useful. There may be errors: there is no warranty at all, use at your own risk.

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.