I’ve used ssh to connect to various unix machines here in the office for years, but only today did I implement a method that eliminates the need for my password. Unix/Security gurus will assume I’m an idiot for taking so long to figure this out, but that’s the problem with teaching yourself everything—sometimes you just don’t know a good place to start so it takes a little longer. On the chance that there’s another soul out there who hasn’t yet stumbled upon this technique, I offer today’s tip:
How to enable public/private key authentication for ssh login
I’ll describe how it’s done from my desktop (a G5 running OS X 10.4) but it’s almost the same for a Linux or Solaris box—can also be done from Windows to Unix but I won’t get into that here.
Goal:
When at the $ prompt on my local machine, I want to type ssh mutex {return} and automatically log into mutex.gmu.edu without having to enter a password.
How?
On your desktop machine, open a terminal window. You want to run the ssh-keygen command which may reside in a variety of locations.
Mac OS X /usr/bin/ssh-keygen
SuSE 9 Linux /usr/bin/ssh-keygen
Solaris 8 /usr/local/bin/ssh-keygen
If you’re having problems finding it, just type:
find / -name ssh-keygen {return}
Here’s what happens on Mac OS X (machine responses italicized). You just hit return at each prompt (don’t enter a password!).
/usr/bin/ssh-keygen -t rsa {return}
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/wallyg/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/wallyg/.ssh/id_rsa.
Your public key has been saved in /Users/wallyg/.ssh/id_rsa.pub.
The key fingerprint is:
one more line displays showing the key…which I’ve omitted…
Two files were created by this process and each was placed in the .ssh directory below your home directory (e.g., in my case on this Mac the files are placed in /users/wallyg/.ssh/).
id_rsa your private key
id_rsa.pub your public key
Leave the id_rsa file alone but you need to copy the id_rsa.pub file to the /home/YourUserName/.ssh directory on any host you wish to connect to when using the user/host combination that created the keys.
1. Using either sftp or some other secure method, move the id_rsa.pub file over to each host you want to connect to. It needs to go into the /home/yourusername/.ssh directory of any host you want to add to your ‘password-less’ login group. Yes, you’ll have to enter a password during this process but we’re getting close to the time when that’s a thing of the past.
2. Once you’ve put the file in the .ssh directory, you need to rename it. The id_rsa.pub file needs to be called authorized_keys
One method is the mv command:
$mv id_rsa.pub authorized_keys {hit return}
here’s another:
$ cat id_rsa.pub >> authorized_keys {hit return}
Now, just to be safe, change the permissions on this file so other users on the system can’t view or modify it:
$ chmod 600 authorized_keys {return}
That’s it. If you log out and then login in again, you’ll discover that you no longer get prompted for a password.
This technique will save you several hundred keystrokes per week (no big deal, really) but your password never again goes across the net (a much bigger deal). A spin off benefit for system administrators—cron scripts, ftp transfers, backups and other tasks where you might not be around to issue the login password are now able to be scripted across machines.
If this description doesn’t work for your particular setup, you’ll find much more information about ssh and how it can be configured at www.openssh.org