Passwordless SSH login
Contents |
Hate typing your SSH password every time you need to login remotely to your machine? Set up public key authentication, and you can securely login without ever having to type a password.
For this guide, let's say I have two machines, a laptop and a desktop. I move around a lot with my laptop (SSH client), and frequently need to access files or run commands on my desktop (SSH server) but hate typing the password to connect each time.
Ensure proper configuration
I am assuming you are using OpenSSH and that you're already able to login remotely using a password. If not, usually all you have to do is install openssh-server on the server and openssh-client on the client. You might also have to open up TCP port 22 on the server if that's not done for you.
Pretty much all modern distros (certainly all the popular ones) will have pubkey authentication enabled in the SSH configuration. On the server, it's enabled as long as you do NOT see this line in /etc/ssh/sshd_config:
PubkeyAuthentication no
Often you will see the PubkeyAuthentication line commented out or not present at all. This is fine, since it defaults to yes.
On the client, pubkey authentication is enabled as long as that line appears in neither /etc/ssh/ssh_config nor ~/.ssh/config.
Generating a public/private key pair
To begin setting up public key authentication, you'll need to first generate
public and private keys on the client. Generating a key pair is simple. Just
run ssh-keygen and push enter a lot to accept the defaults:
[icydog@client ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/icydog/.ssh/id_rsa): Created directory '/home/icydog/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/icydog/.ssh/id_rsa. Your public key has been saved in /home/icydog/.ssh/id_rsa.pub. The key fingerprint is: 2b:7d:96:a2:c7:d9:67:6f:9e:d7:0d:f2:07:5a:77:18
Now, in ~/.ssh/, you'll have two files. id_rsa is the private key, which you must keep secret. id_rsa.pub is the public key, which we're going to copy to the server. It is safe to share the public key with anyone, including adversaries.
Putting the key on the server
Now we need to copy the public key to the server and add it to the list of authorized keys. First, scp the key to the server:
[icydog@client ~]$ scp ~/.ssh/id_rsa.pub icydog@server.icydog.net: icydog@server.icydog.net's password: id_rsa.pub 100% 393 0.4KB/s 00:00
Next, log on to the server and append the public key to the server's authorized_keys file:
[icydog@client ~]$ ssh icydog@server.icydog.net icydog@server.icydog.net's password: Last login: Mon Dec 3 16:04:12 from client.icydog.net [icydog@server ~]$ cat id_rsa.pub >> ~/.ssh/authorized_keys [icydog@server ~]$ rm id_rsa.pub
Done!
Now if you try to make an SSH connection, the server will have the client's public key and the client will have its private key, and magic will happen. You should not be prompted for a password any more:
[icydog@client ~]$ ssh icydog@server.icydog.net Last login: Mon Dec 3 16:08:55 2007 from client.icydog.net [icydog@server ~]$
ssh, scp, sftp, and any GUI tools built on top of these (like KDE's fish KIOslave) will no longer prompt for a password.
One caveat
I want to point out one more thing. The most common cause for SSH public key authentication mysteriously not working is incorrect file permissions on the ~/.ssh/ files. As a general rule, your file permissions (on both machines) should be at least as restrictive as:
~/.ssh/ rwx------ (700) ~/.ssh/authorized_keys rw-r--r-- (644) ~/.ssh/id_rsa rw------- (600) ~/.ssh/id_rsa.pub rw-r--r-- (644)