passwordless ssh

When looking for a howto on setting up passwordless ssh, I found this blog. Thanks Mick!

http://blogs.translucentcode.org/mick/archives/000230.html

Shortest passwordless ssh tutorial, ever

I've been trying to get passwordless sftp going between two unix machines so I can keep arch archives remotely but I kept having problems. Turned out there are a couple of things happening so I'm knocking together this quicky tutorial to outline how I do it. Note that I use local$ to denote a shell prompt on a local machine and remote$ to do the same for the remote machine.

1. local$ ssh-keygen -t dsa
2. local$ scp ~/.ssh/id_dsa.pub remote
3. local$ ssh username@remote
4. remote$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
5. remote$ chmod 644 ~/.ssh/authorized_keys - this was one of the things that kept throwing me, ssh doesn't like this file to be world of group writable.
6. remote$ exit
7. local$ ssh username@remote - Now instead of the normal password you should be asked for the password you entered for your dsa key. This isn't passwordless yet but shows that ssh is using the key.

At this point you can either use ssh-agent or keychain to manage your keys so you don't need to type in passwords. Normally I would recommend keychain but I have been having problems with it recently so I will outline how to use ssh-agent.

1. local$ ssh-agent bash
2. local$ ssh-add ~/.ssh/id_dsa - you will be prompted for your key's passphrase.
3. local$ ssh username@remote - your shouldn't be asked for the passphrase again.

While you stay in the shell above you will never be prompted for a password for any ssh command. However this doesn't allow for things like cron jobs easily. An alternative way to use ssh agent would be to run it and source the settings it generates in your ~/.bashrc.

1. Edit ~/.bashrc and add the following at the end:

   ssh_agent="$HOME/.ssh-agent.sh"
   if [ -f $ssh_agent ]
   then
    source $ssh_agent > /dev/null
   fi
   

   Note that I pipe the output to /dev/null to stop the agent pid being echo'd which might make some commands fail (e.g. sftp).

2. local$ ssh-agent > ~/.ssh-agent.sh
3. Either exit the shell and start a new one or local$ source ~/.ssh_agent.sh
4. local$ ssh-add ~/.ssh/id_dsa
5. local$ ssh username@remote - you shouldn't be prompted for a password

While ssh-agent is running all your processes (including your cron jobs) shouldn't need a password. However if ssh-agent dies or is killed things might go wrong since the old settings are left over.

Keychain, which I mentioned above, tries to simplify and manage all this by automatically starting ssh-agent processes when needed. I have been having problems with it, for a start the web page is a little out of date, better using keychain --help as a guide. It essentially does what I outlined above though.

Posted by mick at September 18, 2003 09:49 AM | TrackBack