OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

March 18, 2008

ssh Without a Password

by @ 9:09 am. Filed under bash, command-line, Linux tips, ssh tips

If you use Linux for day-to-day computing, you likely use the secure shell, or ssh. If you are like me, you may grow weary of constantly having to type in passwords to access remote machines. Or maybe you have the perfect backup system, except that it uses ssh to transfer files, and requires you to type in a password (such as rsync or rdiff-backup). There is a way to access those machines without using a password. This technique should be used with care. I’d use it only on machines that I have access to, for example. You don’t want to set up passwordless access from a public machine to your production server, in other words. Use with caution.

The principle is that you generate a public and private key on the local machine. This will be whatever machine you are connecting from. You then transfer the public key to the remote machine. Then, when you ssh into the remote machine, it uses the keys to authenticate. You don’t type in a password, it just takes you straight to the shell prompt. How do we set this up?

Log into the machine you are going to connect from. Let’s say that your account is called ‘user’ and you are going to connect from a machine called ‘desktop’. Log in as ‘user’ on the ‘desktop’ machine and pull up a shell. Run this command. The stuff in red is what you do,not what you type:

[0218][user@desktop:~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): [JUST PRESS ENTER HERE]
Enter passphrase (empty for no passphrase): [JUST PRESS ENTER HERE]
Enter same passphrase again: [JUST PRESS ENTER HERE]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
a5:25:c0:aa:fe:f3:9f:46:7a:23:e3:6e:10:ec:6f:d3 user@desktop
[0218][user@desktop:~]$

Your keys are generated. On that machine, view /home/user/.ssh/id_dsa.pub. You will see something like this:

ssh-dss AAAAA3NzAC1kc3MAAACAANfnr9xkAks2u8Xd5I9nozzsXLKCYA8o9h3cMwL5QMcZGxz84Dyl3IyRwozv3I2xGwJAYyAHvJAS7AQmtFXtfmQts3dt2ZnlAmKj0TkC8pwDgvXJYzARJpCP2Zx7iwD/OCO3sTgT0wGwYtQrAcTeW5Tt6sSmQjEJ2rJj+Q5XA1xvAAAAFQDWcQ+OJRnk+jCYqESWqxHcyw74DwAAAIA9qAQyZrOJkjpzMSWAcliHvvuyCN8RInlgq+IwWynukOX7zYXcE2dJPopgpG3Aiiq/fxAQX5dUzXfSrL3KYftQOd/RNkAzMHAAzAJeQAA0wEt4uAjhGRwCOSg6wKMYJPYfVghnwIKARuSTUS8NjRXVKteHg7frOOHZwRGIm36pxgAAAIA8/CKLLn5QRctsvvvmvpOn2Xhek02z8K0YukYcXJOQ1FMTYWoHujA39sEAFsdx6Nq1t58lI2dsj6fpf7LOOvoYWtKQnTNRUptlOx27LTO9Q6DhKPV/93nLI/xFOFo/8twZ1TmpAgpAI3SQ9YCnX2A8H686OUwUPmY0kA+H8GKnug== user@desktop

What you need to do now, is determine the remote machine you are going to log into. Then, decide what user you are going to log in as on that machine. We are going to log in as a user called ‘admin’ on a server called ‘server’. First, we will ssh into ‘server’ as ‘admin’. Then, edit the file located at ~/.ssh/authorized_keys2. If it is not there, create it. All you need to do is paste the contents of the id_dsa.pub file from the ‘user’ account on the ‘desktop’ machine into the ~/.ssh/authorized_keys file for ‘admin’ on ‘server’.

For example:

I go to my desktop, log in as ‘user’. I run ‘ssh-keygen -t dsa’. It generates a ~/.ssh/id_dsa.pub file in my home directory.

I want to connect as ‘admin’ on a box called ‘server’. I ssh in normally as ‘admin’ into the ‘server’ machine. I edit the ~/.ssh/authorized_keys2 using my favorite text editor. I add the contents of the ~/.ssh/id_dsa.pub file from my desktop machine into the authorized_keys2 file on ‘server’. I then save and quit. I then close all connections to ‘server’. Then, I type ‘ssh admin@server’, and hit ENTER. It drops me straight to a shell prompt.

This is a nice way to access a machine without having to type in the password every time. Only do this from machines that only you or authorized personnel have access to. Otherwise, you could have a li’l security problem.

14 Responses to “ssh Without a Password”

  1. martijn Says:

    no passphrase? Just cook up some keys _with_ a passphrase and use ssh-agent + ssh-add so you only have to enter it once … it’s safer than no passphrase 😉

  2. Daniel Says:

    Keys without passphrase are dangerous, use a passphrase when creating the key and then use ssh-agent with ssh-add to avoid entering the passphrase every time.

  3. Knusper Says:

    Thanks… Havent known this yet… This will make my everyday life a lot better!

  4. Doran Barton Says:

    The file ‘authorized_keys2’ is deprecated. Recent versions of OpenSSH recognize simply ‘authorized_keys’.

    Also, OpenSSH is very picky (and rightly so) about the ownership and permissions in the ~/.ssh directory on the remote server. The user should own the directory and the files inside (makes sense, right?). The permissions on the directory should be drwx—— (700) and the permissions on the authorized_keys file should be -rw——- (600).

    Keys without passphrases can be dangerous (it shifts the emphasis to physical security), but if you care about security, you will want to edit /etc/ssh/sshd_config and set PasswordAuthentication to no and only accept connections with valid keys. Also, set PermitRootLogin to no.

  5. Jason Sjobeck Says:

    This article is fine and I do not want to sound negative, but this is not new, actually its been done-to-death, not a rant, and … not really, well, let’s how to phrase this, not worth the bits it takes to transfer this to my machine. Let’s get some really advanced clever tricks.

  6. Scott Morris Says:

    Jason,
    Yeah, well, ya’ got me, man. I stuck it on here for personal reference, mostly. And for the small chance that there may be someone, somewhere just getting into the Linux world who may not have seen it before who could benefit from it in some small way. But mostly, it’s for me to refer to. 🙂 Thanks for stopping by.

  7. Knusper Says:

    I have to change my password one one of the machines I am actually working on. I just wonder might happen to me than, cause I performed that trick here?

  8. Joe Says:

    I’m such a person Scott, the one starting out and not a know all on Linux. Great Tip. The extra comments also helped. Thank you.

  9. Scott Morris Says:

    Knusper, the great thing about this is that it has nothing to do with the password. At all. This means that you can change the password all the live long day and you’ll still be able to get into the account because of the public/private key pair that you’ve generated. Thanks for stopping by.

  10. Scott Morris Says:

    Joe… Hey, you bet. Glad to help out. Have a good one, and thanks for stopping by.

  11. Brian Says:

    Trying to setup three systems to run a script that does remote commands.

    Two are working and the third does not accept remote connections without prompting for a password. I test the connections by connecting locally and then to the remote systems.

    The third system always prompts for a password.

    1. SUSE ES 9.2 – OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
    2. SUSE ES 9.2 – OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
    3. SUSE ES 10 – OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005

    Thank You in Advance …

    Regards,
    Brian

  12. Brian Says:

    Never Mind, found the problem @ http://www.openssh.com/faq.html#3.14
    The permissions needed to be fixed on the home directory

    Regards,
    Brian

  13. captain badger_fruit Says:

    Hello author
    I was passed your website from the opensuse forums and wanted to say thanks – I am also a noob when it comes to linux. Your guide is very helpful so thank you for putting it into the public domain. I also challenge Jason in finding a UNIQUE guide to ANYTHING on the internet 😉

    Although I’ve not managed to get it working yet (when i ssh user@computer2 i still get prompted for a password), it’s very handy to know about!

    Keep up the great work and have a great day!
    badger

  14. Bernie Mac Says:

    I have to say, SSH was the best thing they ever came out with. You can’t beat its security nor its reliabilty.

Leave a Reply

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

March 2022
S M T W T F S
« Feb    
 12345
6789101112
13141516171819
20212223242526
2728293031  

64 queries. 1.552 seconds