Passwordless SSH Logins

Passwordless SSH Logins

Samples

Customers

Our Team

Contact Us

Tips and Tricks

Our Network

Useful Tools

Setup Mail Lists

What We Use

Policies

Not Finding It


Home





Note

We are no longer accepting new customers or work orders at this time. Thank you for your interest.


The Problem

Do you find yourself constantly logging in between multiple Unix/Linux systems with ssh, or constantly having to scp files back and forth? Isn't it annoying that you have to type the same password over and over again?

Wouldn't it be nice if there was a way to remotely log in without having to type your password everytime? Just like with the .rhosts file, in the old rsh/rlogin days.

These instructions were tested on OpenSSH as distributed with CentOS flavor of Linux, in September 2006. These instructions should work with any Linux, as well as any other kind of Unix that has OpenSSH installed.

Caveat

You should not enable passwordless logins over the Internet. Please keep it to machines near each other, such as on your local intranet, behind a firewall.

These instructions assume you want passwordless logins in both directions. Once you've logged into the first computer (entering your password), you can ssh/scp to any other without being prompted for a password.

There are many other SSH distributions out there, with different ways to configure them. If you're not using openSSH, you should not follow these instructions.

The Solution

Step 1 - Each host needs a Public/Private Keypair

You must have your own SSH public/private keypair. We recommend generating the keypair once, and copying the keys between hosts. So, if you have already run "ssh-keygen" in the past, you should not do it again, unless you entered a passphrase for the keys. You need a set of keys that have no passphrase associated with them. If you need to, you can run ssh-keygen again, which will overwrite your current keypair with a fresh copy (see below).

Copying your keys from another host

If you have keys on another machine, simply copy the files to this machine. Create the directory ".ssh" on the new host first, if it doesn't exist: 

mkdir ~/.ssh

Log into the host with the keys, and type: 

cd .ssh
scp id* auth* conf* newhost:.ssh

This copies the keys (id*) as well as a couple other important files. Don't worry if the auth* or conf* files do not exist, we'll fix that in a moment.

Create a New Key Pair

If you don't yet have a set of SSH keys, you can generate one easily: 

ssh-keygen -t dsa

(You can use "rsa" style keys instead of "dsa", if you want). To answer the passphrase question, do not enter anything, just press the ENTER key. To answer the file question, the default is fine, just press the ENTER key. This should have created two files in your .ssh directory: "id_dsa" (your private key), and "id_dsa.pub" (your public key).

Step 2 - Configuring Passwordless Logins

The default configurations for many OpenSSH installations is to require passwords. To disable this, do the following on both systems: 

echo "StrictHostKeyChecking no" >> config

This will create the file "config" (in your .ssh directory) if it doesn't exist. But if it does, it simply adds this line to the end of the file. If the file already existed, you should probably edit "config" and change the existing line, if there is one.

Then, you need to make your public key be considered "authorized". Do this command on both systems (in your .ssh directory): 

cat id_dsa.pub >> authorized_keys

(the british spelling "authorised" will not work here; it has to have a "z").

Step 3 - File and Directory Permissions

Perphaps the most important and least understood part of this process is setting all the right permissions on files and directories. We haven't found a web site yet that had all the right information in this area. This really should be added to the OpenSSH documentation.

The .ssh directory needs to be read/write only by you. 

chmod 700 ~/.ssh

Some files should only be accessable by you: 

chmod 600 auth* id_dsa

Some files can be readable by others, but should not be executable: 

chmod 644 id*pub config

And, last but not least, your home directory must not be writable by anyone other than you: 

chmod g-w ~

Make all these changes on each machine that you want passwordless logins on.

Notes

Example modes that are OK for your home directory: 755, 2755, 750, 2750, 700, 2700. The Chmod command above should simply fix the issue, without changing read or execute bits on your home directory's permissions. Modes that are not acceptable (and will silently fail!) include: 775, 2775, 777, 2777.

If That Doesn't Work

If things still aren't working, be sure to check your system logs for errors 

/var/log/auth.log
/var/log/secure
/var/log/messages

If this doesn't work for your OpenSSH installation and you discover how to fix it, let us know so we can update this document. Thanks!



Bookmark and Share


Don't miss the latest unix tips and tricks!
Subscribe to our low-volume mailing list:

Privacy Policy

See other tricks:  Web/PHP | Unix/Linux | Perl | SQL | General


Sample Sites | Customers | Our Team | Contact Us | Tips and Tricks | Tools | Our Network | Home

Copyright © 2006 - 2010 Keith Smith Internet Marketing LLC, all rights reserved.
Problem with this web site? please let us know