SSH Without Passwords

Linux Administration

I'm sure there are millions of pages on the Internet concerning this topic. This one is mine.

On Unix

These pages are very useful:

http://www.ibm.com/developerworks/library/l-keyc.html http://www.ibm.com/developerworks/library/l-keyc2/ http://www.ibm.com/developerworks/linux/library/l-keyc3/

Creating keys

You need a public/private key pair for each client you intend to connect from. You create a key pair using the ssh-keygen program. I create RSA keys because DSA keys are limited in strength. I use 2048 bit keys:

dcr@zinc:~$ ssh-keygen -b 2048 -t rsa

Just take the default location for the key. Enter a passphrase to encrypt the private key.

You need to copy the public key to the computer you want to connect to:

% scp ~/.ssh/id_rsa.pub user@remotebox:

And you need to append this key to the ~/.ssh/authorized_keys file:

% ssh user@remotebox
user@remotebox's password: (enter password)
Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

% cat id_rsa.pub >> ~/.ssh/authorized_keys
% exit

Or....you can just use ssh-copy-id. I've never used it but it seems convenient.

Now you can log in to remotebox. Note that you still have to type in a passphrase - it's the passphrase for the private key. The difference is that this passphrase is never sent over the network. It's used strictly to decrypt the private key.

Using ssh-agent

It's inconvenient to have to type in this passphrase all the time (it's no better than using password authentication), so we use another program to help us out here: ssh-agent. ssh-agent will cache your unencrypted private key in memory so that you don't have to keep typing in your passphrase.

If you use GNOME or Xfce, then ssh-agent is started for you when you log in. Otherwise you can just run ssh-agent.

% ssh-agent

This will start an empty caching agent. The output of this command is bash code that can be executed that will define some evironment variables for use by ssh, scp, etc.

SSH_AUTH_SOCK=/tmp/ssh-XX4LkMJS/agent.26916; export SSH_AUTH_SOCK;
SSH_AGENT_PID=26917; export SSH_AGENT_PID;
echo Agent pid 26917;

Evaluate this code in your bash shell, (say, in your .bash_profile), and all programs in that shell can use ssh with no password.

You can add all the keys in your .ssh directory by running ssh-add without arguments:

% ssh-add

and you can see if your key was picked up by running :

% ssh-add -l

This page has information on running ssh-add whenever you start xfce. See the section called "Getting ssh-add to run at startup in XFCE4"

Using keychain

Starting ssh-agent from your .bash_profile is not the best solution because it will start a new process every time you login. Better is to use keychain, which will check if ssh-agent is running and start it if it isn't. keychain will dump ssh-agent's output into a file which you can execute to get the environment variables.

Put this in your .bash_profile:

/usr/bin/keychain ~/.ssh/id_rsa
source ~/.keychain/zinc-sh > /dev/null

When you login, keychain will try to run ssh-add on the keys you specify its argument list. If they aren't there, you will need to supply the passphrase at this point. If they are there, it won't add re-add them, hence you don't need to enter the passphrase again.

You can use the above whenever you need to use ssh in a script and you don't want to type the passphrase.

Xfce Notes

I recently installed Linux Mint Debian Edition with Xfce. This is actually more of a hybrid between Xfce and GNOME since several GNOME apps are installed.

It is surprising difficult to get keychain working on such a system. Xfce is installed along with MDM and the usual bash_profile mechanism doesn't seem to work, because logging in via MDM does not go through the usual channels. I believe that editing your .xession file is supposed to be equivalent of the .bash_profile but in my tests that script does not seem to be executed either.

In the end I activated GNOME services in the Xfce settings panel. This makes the GNOME keyring daemon run on startup (though I did see it running even with the setting disabled). The end result is that you will be prompted to unlock the private key when you need it (for example, when you try to log in to a remote server that uses the keys). The password prompt has an option to unlock the keys at start up; I suspect that the password for the private key gets stored on disk, encrypted with your login password. You'll never be prompted to unlock the private key again.

gnome-keyring-daemon has a built in ssh-agent, so SSH can use it.

On Windows

I occasionally access my linux boxes from Windows, either from my laptop or a friend's computer. I use PuTTY for this.

You can create a public/private key by using the puttygen program which comes with the putty package. Just run the program. Pick the type of key you want (I use RSA keys with 2048 bits) and click the "Generate" button. Give it a passphrase and click "Save private key". You can copy the public key from the window and paste it as is into your .ssh/authorized_keys file on the machine you want to connect to.

You need to tell putty to use your private key in the SSH/Auth section of the configuration. You need to tell putty to use your username in the Connection/Data section of your configuration.