Performing SSH without a password can be more convenient for the user, some applications (such as Longbow) require this feature to operate properly. Doing this has ramifications for security as if a malicious user is able to obtain your private key, they are then able to log into any machine that uses your key. Users should take necessary steps to safeguard their private key. This guide is assuming users are using a Unix or Unix-like environment on their local machine and that the user interested in password-less SSH and not 1 time passwords etc.
The first step in setting up password-less SSH is to generate a local (on your machine) key pair. To do this most Unix environments will have the ssh-keygen utility installed out of the box. The quickest and easiest way to use this is to simply run the tool without any arguments:
This will result in the following output:
juan@trique-ponee:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/juan/.ssh/id_rsa): Created directory '/home/juan/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/juan/.ssh/id_rsa. Your public key has been saved in /home/juan/.ssh/id_rsa.pub. The key fingerprint is: 1a:13:f5:77:7c:32:ea:00:42:4c:99:a8:59:1d:6e:17 juan@trique-ponee The key's randomart image is: +--[ RSA 2048]----+ | =++E | | oo=. o . | | + = o . . = .| | o . + . . o + | | o S . . | | + o | | . . | | | | | +-----------------+
As part of this output, there will be a couple of questions. The first being to enter a file name in which to call your key pair, in this example we will leave this blank and you should get two files (the key pair) called id_rsa and id_rsa.pub, you can use a different name here but remember if you do then you will have to remember to change the name of the files to what you used when following the rest of this guide, users might want to do this to increase security by having a number of key pairs for different machines. The second and third question relates to the pass-phrase, in our example we are leaving this blank for true password-less SSH so just press enter and move on. The security conscious user might want to look into one time password for SSH since this can be configured so that a pass-phrase is entered once a day for example.
Now you should have your key pair, this key pair should reside in ~/.ssh/ and consist of id_rsa and id_rsa.pub. That is it you have generated your key pair and are ready to transfer it to your remote machine.
Once you have generated or already have your key pair from previously, you should copy your public key (the one with the .pub extension) to the machine that you would like to log in to without a password. There are two was to do this, both being easy to do. Most Linux distributions will come with ssh-copy-id for copying SSH keys to other machines, apple mac OS doesn't seem to ship with this so a manual copy is likely required.
The copy-id utility is particularly helpful since it handles most of the quirks that beginners users might be unfamiliar with. To get started copying you'll need to run something like this:
juan@trique-ponee:~$ ssh-copy-id firstname.lastname@example.org
That should be it, you should be able to SSH into your remote machine without a password!
If you are having to do this step manually, then you should first SSH into the remote machine normally and check if the ".ssh" directory exists under your user home directory. If it is not then you'll need to make it using mkdir, if you have to make this directory, you might run into complications later with the permissions on this directory (see the quirks section if this happens). Once everything is in order, run the following from your local machine:
juan@trique-ponee:~$ cat .ssh/id_rsa.pub | ssh email@example.com 'cat >> .ssh/authorized_keys'
Some weird problems can occur when setting up password-less SSH, sometimes it is beyond your control as a user but others it can be fixed by understanding what has gone wrong. The following quirks are some that have been encountered.
1. On some operating systems the version of ssh-copy-id can use a different filename as it's default than that the ssh-keygen utility uses, in this case you just have to specify the default filename that the ssh-keygen (usually id_rsa.pub) uses as a commandline option to ssh-copy-id using:
2. On some machines the configuration can be problematic for users that are not used to doing things on Linux. Sometimes the following can cause problems:
- The .ssh directory is missing from the home directory on the remote machine - create it with mkdir.
- The .ssh directory has the wrong permissions - use chmod to make it 700.
- The .ssh/authorized_keys is missing - create it either manually or just generate a dummy set of keys on the remote machine.
- The .ssh/authorized_keys has the wrong permissions - use chmod to make it 640.
- The configuration uses .ssh/authorized_keys2 - make sure you place your keys here instead and that none of the above issues apply.
3. If you see a message like "Agent admitted failure to sign using the key." then you need to add your key identity to the authentication agent, ssh-agent by executing the following command:
juan@trique-ponee:~$ ssh-add ~/.ssh/id_rsa
If you require assistance with setting this up on a HEC resource then post for support in our forums.