Friday, May 20, 2011

SSH without password

Ever since I joined IISc, ssh-ing into other machines seems to be a daily task. Its hard to type in passwords every time. So this is what I did to avoid typing passwords for ssh.

Lets call the machine you are connecting from as "home" with your user name "homeuser" and the machine you are connecting to as "server" with your user name as "serveruser". Please note that in case the account in your "home" computer is compromised, the attacker can effectively login to the "server" as well. So use this with caution.

First you have to generate an RSA public-key, private-key pair. The public key will be placed in the server computer so that it can identify your computer when you ssh to it. Thankfully Linux installations come with all the tools that you require to do this. So all you have to do to generate this key pair is open a terminal in "home" and type:
homeuser@home:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/homeuser/.ssh/id_rsa):
Created directory '/home/homeuser/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/homeuser/.ssh/id_rsa.
Your public key has been saved in /home/homeuser/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:69:bf:89:0a:37:16:e9:25:e2 homeuser@home
Next you have to store the public-key in "/home/homeuser/.ssh/id_rsa.pub" to "server". For this first create a directory on "server" by ssh-ing to it: (don't worry if the directory is already there):
homeuser@home:~$ ssh serveruser@server mkdir -p .ssh
serveruser@server's password:
Next copy the public key from "home" to the "server"
homeuser@home:~$ cat .ssh/id_rsa.pub | ssh serveruser@server 'cat >> .ssh/authorized_keys'
serveruser@server's password:
Now you are done. Try ssh-ing to the server and you will be directly greeted with a prompt:
homeuser@home:~$ ssh serveruser@server
serveruser@server:~$
Please note that:
  • This method kind of identifies your "home" computer to the "server", so in case your account in "home" is compromised, immediately delete the corresponding key from .ssh/authorized_keys at the "server".
  • You have to do this every time you install a new OS in "server" or "home".
  • I have only tested this on the machines that I use ... so this should work well in Fedora, Ubuntu and Mac. Sometimes your version of ssh might differ and you might have to put the public key to ".ssh/authorized_keys2" and change its file permissions to 640 and change file permissions of ".ssh" to 700.
Thanks for reading through. If you have any further questions/comments, just post it here. 

Edit [2011-09-30] For all the lazy people (like me) out there, here is a simple one liner that will do the same trick. Just type in the server password twice when the terminal asks.
ssh-keygen -t rsa; ssh-keygen -y; ssh serveruser@server mkdir -m 700 -p ~/.ssh; scp ~/.ssh/id_rsa.pub serveruser@server:~/.ssh/authorized_keys
 This simple and very effective one-line idea was given to me by my colleagues at amazon.

No comments:

Post a Comment

I'd love to hear from you !