Faster SSH logins

      6 Comments on Faster SSH logins

I’ve used ssh to connect to various unix machines here in the office for years, but only today did I implement a method that eliminates the need for my password. Unix/Security gurus will assume I’m an idiot for taking so long to figure this out, but that’s the problem with teaching yourself everything—sometimes you just don’t know a good place to start so it takes a little longer. On the chance that there’s another soul out there who hasn’t yet stumbled upon this technique, I offer today’s tip:

How to enable public/private key authentication for ssh login

I’ll describe how it’s done from my desktop (a G5 running OS X 10.4) but it’s almost the same for a Linux or Solaris box—can also be done from Windows to Unix but I won’t get into that here.

Goal:
When at the $ prompt on my local machine, I want to type ssh mutex {return} and automatically log into mutex.gmu.edu without having to enter a password.

How?
On your desktop machine, open a terminal window. You want to run the ssh-keygen command which may reside in a variety of locations.

Mac OS X  /usr/bin/ssh-keygen
SuSE 9 Linux  /usr/bin/ssh-keygen
Solaris 8   /usr/local/bin/ssh-keygen

If you’re having problems finding it, just type:

find / -name ssh-keygen {return}

Here’s what happens on Mac OS X (machine responses italicized). You just hit return at each prompt (don’t enter a password!).

/usr/bin/ssh-keygen -t rsa {return}
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/wallyg/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/wallyg/.ssh/id_rsa.
Your public key has been saved in /Users/wallyg/.ssh/id_rsa.pub.
The key fingerprint is:
one more line displays showing the key…which I’ve omitted…

Two files were created by this process and each was placed in the .ssh directory below your home directory (e.g., in my case on this Mac the files are placed in /users/wallyg/.ssh/).

id_rsa  your private key
id_rsa.pub  your public key

Leave the id_rsa file alone but you need to copy the id_rsa.pub file to the /home/YourUserName/.ssh directory on any host you wish to connect to when using the user/host combination that created the keys.

1. Using either sftp or some other secure method, move the id_rsa.pub file over to each host you want to connect to. It needs to go into the /home/yourusername/.ssh directory of any host you want to add to your ‘password-less’ login group. Yes, you’ll have to enter a password during this process but we’re getting close to the time when that’s a thing of the past.

2. Once you’ve put the file in the .ssh directory, you need to rename it. The id_rsa.pub file needs to be called authorized_keys
One method is the mv command:

$mv id_rsa.pub authorized_keys {hit return}

here’s another:

$ cat id_rsa.pub >> authorized_keys {hit return}

Now, just to be safe, change the permissions on this file so other users on the system can’t view or modify it:

$ chmod 600 authorized_keys {return}

That’s it. If you log out and then login in again, you’ll discover that you no longer get prompted for a password.

This technique will save you several hundred keystrokes per week (no big deal, really) but your password never again goes across the net (a much bigger deal). A spin off benefit for system administrators—cron scripts, ftp transfers, backups and other tasks where you might not be around to issue the login password are now able to be scripted across machines.

If this description doesn’t work for your particular setup, you’ll find much more information about ssh and how it can be configured at www.openssh.org

6 thoughts on “Faster SSH logins

  1. Dorothea Salo

    This rocks.

    Possible/sensible to put the private key on other workstations (e.g. the PowerBook) also? Or should each machine have its own keypair?

  2. Wally Post author

    You should generate a new key for each machine where you originate a session.

    Sorry that I didn’t make that clear in my post and didn’t mention at all what to do when you have more than one machine you want to use to connect to a third machine.

    Here’s what you do:

    For each machine you want to originate sessions on, generate the two files as mentioned in the original post. Then take the id_rsa.pub file and instead of renaming it authorized_keys2 on the third machine, add the contents of the id_rsa.pub file (it’s a plain text file) as a new line in the now already existing authorized_keys2 file.

  3. Andrew Ross

    You might also like to check out SSHKeychain (http://www.sshkeychain.org/), which is a nifty OS X-native app for managing ssh keys and tunnels, complete with keychain-integration.

    After switching from Linux SSHKeychain was the first application I installed on my shiny new Powerbook, and now I’m not sure I could live without it!

  4. Pingback: Dan Cohen’s Digital Humanities Blog » Blog Archive » Creating a Blog from Scratch, Part 1: What is a Blog, Anyway?

  5. Nick G

    Very nice tutorial. You opened my eyes to a wider world. What about security though, if someone can access your account they can access all machines with the key, without using a password.

  6. Wally

    Yes, you’re right. If someone got access to your machine and was able to log in as you (to get into your account), then they could get into other machines as well. I suppose that would be a reason not to implement the ssh login as I described it here–but then, you’d have to say that if other people are going to be getting access to your account, you need to do something about that.

Comments are closed.