SSH Passwordless Authentication

To login remotely without a password and save time with things like mercurial repositories, use passwordless authentication.

Do the following -

1. Create an RSA key-pair with an empty password (no encryption). 2. Copy the public key to the remote server 3. Add the public key to the authorized_keys file on the remote server

Here are the steps as you would actually type them (ssh-copy-id does steps 2 and 3): 

    ssh-keygen -q -t dsa -N '' -f ~/.ssh/id_dsa
    ssh-copy-id user@remote.example.com

Here is what you would do without ssh-copy-id. 

    ssh-keygen -q -t dsa -N '' -f ~/.ssh/id_dsa
    scp ~/.ssh/id_dsa.pub user@remote.example.com:~/id_dsa.pub
    ssh user@remote.example.com \
        "mkdir -p ~/.ssh; \
        chmod 700 ~/.ssh; \
        touch ~/.ssh/authorized_keys; \
        cat ~/id_dsa.pub >> ~/.ssh/authorized_keys; \
        chmod 600 ~/.ssh/authorized_keys"

Note - it's usually very bad to do this. Use in limited circumstances. To simply avoid typing your password over and over, use SSH Agent.

SSH Agent#

You can have ssh cache your private key password so that you only need to enter it once. To do this, ssh uses ssh-agent to cache passwords. The ssh-agent sits in the background and caches the password to your private keys. On most desktop distros such as Ubuntu an ssh-agent is started when you login. The ssh-agent doesn't do anything until you add a private key to the cache. This will add your private key to the ssh-agent cache. 

    ssh-add

The agent will ask you for your password. Now the agent running in the background has your password and private key. When the ssh client later needs to confirm a public key it will first ask the ssh-agent if it has the key and password cached. If it does then the ssh client can confirm your keys without your help.

Debugging Your Agent#

Most distros that feature a display manager such as xdm, gdm, or kdm will start an ssh-agent when you login. This is started as part of the xinit process. For example if you use KDE, then kdm is your display manager. Kdm will start X, which starts startkde, which starts ssh-agent.

You can check if an agent is running by using this command: 

$ ps auxww | grep agent

If you don't have an agent running you can put one in your .xsession. Or you can run it manually at any time from the command line: 

$ exec ssh-agent bash

Possible Problems#

  • The SSH2 protocol specifies a format for storing public keys. Some SSH servers (such as ssh.com's) require a public key in this format in order to accept authentication with the corresponding private key. Others, such as OpenSSH, use a different format. I don't know what to do about this.
  • When cutting and pasting the public key BEWARE that it should be a single line. If you cut and paste from a terminal window then it is likely that you will get newline characters added where your terminal wrapped the line. If you use vi then the line may wrap and APPEAR to be multiple lines, but it is really one single line. When you paste it to a new window it may look the same, but the copy will likely contain newline characters. This will not work.
  • Make sure you are using the correct version. Earlier versions of OpenSSH used two files, authorized_keys and authorized_keys2. Secure SSH uses something else with keys in an entirely different format.

Credits: info taken from noah.org

SCM : Linux : Mac : Networking.SSH : Fixme
This page (revision-1) was last changed on 08-Nov-2019 21:05 by arcoleo Top

Main

All Categories

Archived

Computing

Food
General
Geographic
Recreation


Index
About
JSPWiki v2.11.0-M4