Search:  
Gentoo Wiki

HOWTO_SSH_without_a_password

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Image:OpenSSH-logo.png

SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH

edit

The following instructions describe how to setup your SSH server to accept password free logins.

Warning: It is unwise to have keys without passphrases, if someone just copies the keyfile he/she will have access to all accounts that allow that key.

You can follow Ssh-agent guide or section below on ssh-agent for using passwordless login without compromising security.

Client setup

As there exists two version of the SSH protocol, version 1 and 2, the identities are tied to the protocol version. Most SSH-servers use version 2 of the protocol due to the limitations of version 1.

List over protocols and their identity types:

Protocol Type Commandline
Version 1RSA1 -t rsa1
Version 2RSA -t rsa
Version 2DSA -t dsa

After determining which identity type you want it is time to create your private and public ssh keys (in the article we use DSA encryption), on the client machine type:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/gerard/.ssh/id_dsa):

The default location is fine, so just press <enter>

Enter passphrase (empty for no passphrase):

Enter a passphrase or press <enter> again for an empty passphrase.

Warning: It is unwise to have keys without passphrases, if someone just copies the keyfile he/she will have access to all accounts that allow that key.

You can follow Ssh-agent guide for using passwordless login without compromising security.

Enter same passphrase again:

Press <enter> again

key fingerprint is:
6f:c5:86:c7:67:69:02:1a:e4:a9:20:e6:16:13:5d:e5 username@host

That process created two files in ~/.ssh:

File: Contents of ~/.ssh
-rw-------   1 bob users   668 Jun 17 23:52 id_dsa
-rw-r--r--   1 bob users   602 Jun 17 23:52 id_dsa.pub

Note: The private key (id_dsa) is in openssh-2 format. If you intend to connect to this server with putty you must convert this private key into a format it will use with the help of puttgen. You then save the putty formatted private key and feed this new key into putty. The original private key will only work on clients that accept the openssh private key format.

Server setup

The file named id_dsa.pub is your public key, which you should copy to the server (here referred to as remotebox). The file should be appended to a file named ~/.ssh/authorized_keys on the server.

Copy and install the id_dsa.pub file to the remote system:

$ ssh-copy-id -i ~/.ssh/id_dsa.pub username@remotebox

Client & Server Setup (Alternative with ssh-installkeys)

This part describes how to use the ssh-installkeys tool. It will do the steps explained above automatically. First install ssh-installkeys:

$ echo "net-misc/ssh-installkeys" >> /etc/portage/package.keywords
$ emerge -av net-misc/ssh-installkeys

And run it:

$ ssh-installkeys username@remotebox

ssh-installkeys will do all needed task to setup the local keyfiles and the remote login, which includes:

Note: ssh-installkeys will NOT update an existing authorized_keys file. If one exists, even if blank, it will not add the keys to it.

Alternative to keychains: Using ssh-agent

Note: You can look at Ssh-agent guide for more on this topic

Using ssh-agent, your computer will store your private keys in memory for the duration of your session, or for a fixed time (if desired - see man ssh-add). It is intended for users who protect their keys with a passphrase, and allows the passphrase to be entered in once only: when the key is added to the agent. This setup is infinitely more secure than making a key with an empty passphrase (assuming you don't leave the session open for someone else to use, of course). To use ssh-agent, you commonly invoke it in one of two ways:

1. You can tell ssh-agent to create a child process (such as an X or Konsole session), and it will terminate automatically when the child process exits:

For example, in your .xinitrc:

File: ~/.xinitrc
exec /usr/bin/ssh-agent startkde

...or as an alias to konsole (or put this in the application line of the icon):

File: ~/.bashrc
alias konsole="/usr/bin/ssh-agent /usr/kde/x.x/bin/konsole"

Gnome users are already running their session through ssh-agent if they use GDM.

2. You can invoke ssh-agent manually at the prompt:

$ eval `ssh-agent`


Once you have started ssh-agent or verified that it is running, add your keys with ssh-add:

$ ssh-add
Enter passphrase for /home/<you>/.ssh/id_rsa: 
Identity added: /home/<you>/.ssh/id_rsa (/home/<you>/.ssh/id_rsa)

Without arguments, ssh-add adds some default keys (if they exist): ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/identity. If you have additional keys with other names, specify the files on the command line:

$ ssh-add ~/.ssh/gentoo_id_dsa

If you want ssh-agent to discard your key from memory after a time, specify the key's lifetime with the -t option:

$ ssh-add -t 2h ~/.ssh/sourceforge_id_rsa

See man sshd_config for time formats.

That's it. ssh-agent will supply your private keys to your SSH client processes whenever they are needed to authenticate with a server, without prompting for your passphrase each time. This is especially useful for scripting using SSH and running commands on multiple hosts.


Tip: Gnome users may see also HOWTO use gnome-keyring to store SSH passphrases to have ssh-add get your passphrase from the Gnome keyring instead of your terminal.

Testing

$ ssh -l username remotebox
Last login: Thu Jun 17 23:55:36 2004 from 192.168.34.2
$

If the system did not query you for a password everything is working properly. If it did not work check your sshd_config file. The following options should be set:

File: /etc/ssh/sshd_config
# Allow Identity Auth for SSH1?
RSAAuthentication yes

# Allow Identity Auth for SSH2?
PubkeyAuthentication yes

Now repeat the Server-part for every server you want to be able to login into without specifying the password.

You can add the following line to your ~/.bashrc to be able to have root access to your box without having to give your root password.

File: ~/.bashrc
alias root="ssh -l root 127.0.0.1"

Be carefull with this, cause anyone with access to your box will be able to issue this command!

Warning

Warning: Make sure that you keep your private key (~/.ssh/id_dsa) secret! While it is safe to give your public key (~/.ssh/id_dsa.pub) to anybody, you should be extremely careful that nobody else can read your private key (~/.ssh/id_dsa)! Everybody who has access to the private key can log in to any machine where the matching public key is installed, so guard it jealously! This is yet another reason to use a passphrase on your ssh key! You have been warned
Warning: Loose permissions on both the .ssh and ${HOME} directories will prevent key based authentications.

Internal links

External links

Retrieved from "http://www.gentoo-wiki.info/HOWTO_SSH_without_a_password"

Last modified: Mon, 04 Aug 2008 08:57:00 +0000 Hits: 35,998