Shortest passwordless ssh tutorial, ever

Posted 2003-09-18 10:04 a.m. by mick

tags: software

I've been trying to get passwordless sftp going between two unix machines so I can keep arch archives remotely but I kept having problems. Turned out there are a couple of things happening so I'm knocking together this quicky tutorial to outline how I do it. Note that I use local$ to denote a shell prompt on a local machine and remote$ to do the same for the remote machine.

  1. local$ ssh-keygen -t dsa
  2. local$ scp ~/.ssh/id_dsa.pub remote
  3. local$ ssh username@remote
  4. remote$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
  5. remote$ chmod 644 ~/.ssh/authorized_keys - this was one of the things that kept throwing me, ssh doesn't like this file to be world of group writable.
  6. remote$ exit
  7. local$ ssh username@remote - Now instead of the normal password you should be asked for the password you entered for your dsa key. This isn't passwordless yet but shows that ssh is using the key.

At this point you can either use ssh-agent or keychain to manage your keys so you don't need to type in passwords. Normally I would recommend keychain but I have been having problems with it recently so I will outline how to use ssh-agent.

  1. local$ ssh-agent bash
  2. local$ ssh-add ~/.ssh/id_dsa - you will be prompted for your key's passphrase.
  3. local$ ssh username@remote - your shouldn't be asked for the passphrase again.

While you stay in the shell above you will never be prompted for a password for any ssh command. However this doesn't allow for things like cron jobs easily. An alternative way to use ssh agent would be to run it and source the settings it generates in your ~/.bashrc.

  1. Edit ~/.bashrc and add the following at the end: 
    ssh_agent="$HOME/.ssh-agent.sh"
if [ -f $ssh_agent ]
then
  source $ssh_agent > /dev/null
fi

    Note that I pipe the output to /dev/null to stop the agent pid being echo'd which might make some commands fail (e.g. sftp).

  2. local$ ssh-agent > ~/.ssh-agent.sh
  3. Either exit the shell and start a new one or local$ source ~/.ssh_agent.sh
  4. local$ ssh-add ~/.ssh/id_dsa
  5. local$ ssh username@remote - you shouldn't be prompted for a password

While ssh-agent is running all your processes (including your cron jobs) shouldn't need a password. However if ssh-agent dies or is killed things might go wrong since the old settings are left over.

Keychain, which I mentioned above, tries to simplify and manage all this by automatically starting ssh-agent processes when needed. I have been having problems with it, for a start the web page is a little out of date, better using keychain --help as a guide. It essentially does what I outlined above though.

Comments

Alan Green

Posted at 2003-09-18 2:29 p.m.

Of course, if you don't type in a passphrase when generating the key, you won't need keychain or ssh-agent. On the downside, anybody that hacks your local account can log into remote.

mick

Posted at 2003-09-18 2:40 p.m.

Good point, I forgot to mention that. Of course it removes some security so strictly speaking you shouldn't do this.

xscousr

Posted at 2003-09-24 7:32 p.m.

Nice - thanks - i got caught on the permissions on the authorized_keys file as well

and now it works....

cheers

Andrew Jones

Posted at 2003-10-29 11:30 p.m.

Thanks a lot! Finally got it working after reading this page.

Oisin Mulvihill

Posted at 2003-11-28 10:51 a.m.

I've read a site that recommends making the "authorised_keys" file only readable to you. This makes sense as otherwise people on the system could potentially read the key and use it. I guess it adds just that bit more security.

Posted at 2004-01-01 6:15 a.m.

Given that most servers are using ssh2 it should be pointed out that the authorized_keys file is actually authorized_keys2.

And the .ssh DIRECTORY on the host also cannot be group writable. This problem I detected by looking at /var/log/secure on the host.

Mark Stanislav

Posted at 2004-02-09 7:42 a.m.

Wonderful and quick tutorial. Thanks for posting it, saved me a lot of googling just to see more web sites waste page after page on non-working examples.

Either exit the shell and start a new one or local$ source ~/.ssh_agent.sh <-- that should say ssh-agent.sh

Santanu

Posted at 2004-03-24 11:13 p.m.

The first part of this tutorial works fine for me. I followed all the steps to stop asking for dsa passphrase but it continues. Any what might be the case? I�m using PowerBook G4 running OS X 10.2.8
Thanks,

Thor

Posted at 2006-02-18 8:37 p.m.

Thank you,
I read several tutorials on the same subject,
but this is the only one that described the process in so plain words and took it step by step that it worked at the first try!

Memphis

Posted at 2006-05-26 3:32 p.m.

You're great!! Keep up the good work!!

Srinivas

Posted at 2006-06-09 10:15 a.m.

Very nice and useful, I fixed the issue after I red this article.

Jonathan (TechSocial.com)

Posted at 2006-08-06 7:28 a.m.

Thanks! It worked! How easy!

matamoris

Posted at 2006-08-26 1:17 a.m.

excellent. thanks!

Keiran

Posted at 2007-03-06 12:41 a.m.

I was having a major problem with setting this up you gave me the clues to solve it! Concise, precise, excellent.

David Eads

Posted at 2007-05-16 5:44 a.m.

Nice tutorial. One gotcha: I had to chmod +x .ssh_agent.sh in Kubuntu Feisty.

gixwip

Posted at 2007-06-19 10:35 p.m.

Well done boys! Great news!

fiquen

Posted at 2007-06-19 10:36 p.m.

Hello! I wanna apply for a credit card. I found many credit card applications at one web source. Is it worth applying there? It’s named

Anthony

Posted at 2007-06-19 11:46 p.m.

For those who might be trying to script this without editing your ~/.bashrc
you can run the following command:

ssh-agent ssh-add ~/.ssh/id_dsa

It will let you connect within the shell you are in instead of creating a new one.
Great Tutorial concise and precise - I wish more tutorials shared the same traits....Thanks.

Dave Escobar

Posted at 2007-07-26 10:40 a.m.

At freekin last! A guide that Just Works!

Thankyou :D

Dilawar

Posted at 2007-09-13 10:05 a.m.

Thanx a lot.

It came really handy while i was working on my project

neil craig

Posted at 2007-09-28 10:53 a.m.

great stuff, this worked well for me. one thing to beware of though, one of our servers had RSA auth parameters in the sshd conf, you will need to disable these otherwise it will not work via DSA. most sshd's should be set up to use DSA already but if not, comment the following lines like this:

#RSAAuthentication yes
#pubkeyAuthentication yes
#AuthorizedKeysFile ~/.ssh/authorized_keys

and then restart sshd:

/etc/init.d/sshd reload

This won't kick you out of your remote session...whatever you do, don't do /etc/init.d/sshd restart if your access is only remote, you'll be locked out!!!

cheers

possum

Posted at 2007-10-04 2:01 p.m.

Thanks. This worked really well for me on my mac - I have to add the ssh-agent stuff to .profile instead of .bashrc, though.

One other problem I have with my mac -

Every time I reboot and start up a terminal, I have to

rm ~/.ssh-agent.sh
ssh-agent > ~/.ssh-agent.sh
source .ssh-agent.sh
ssh-add ~/.ssh/id_dsa

Is there any way I can get this to work without having to delete, recreate and source the .ssh-agent.sh file every time I reboot?

Post a comment

Comment posting temporarily disabled, too much spam.