Howto: SSH without a password

September 24, 2007

When working with many machines or many secure shell terminals, it can become tedious and error prone to have to type a password each time. This gets worse if you’re like many admins and have a different password for each box. Luckily, OpenSSH includes shared key authentication for passwordless ssh.

• Step One: Create a Private/Public Key pair

---

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mshade/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mshade/.ssh/id_rsa.
Your public key has been saved in /home/mshade/.ssh/id_rsa.pub.
The key fingerprint is:
8b:f0:81:b5:3b:61:4e:2b:39:dc:4b:02:69:03:9d:88


---

For truly passwordless (and passphraseless) access, just hit enter when prompted for a passphrase. You can accept the default for the locations of the keys, but note them for the next step as they can differ betwen distro and OpenSSH configuration.

• Step Two: Copy the public key to the remote servers you desire passwordless access to

---

$ scp .ssh/id_rsa.pub server.example.com:/home/mshade/.ssh/
mshade@server.example.com's password:
id_rsa.pub 100% 394 0.4KB/s 00:00


---

Replace .ssh/id_rsa.pub with the location of your public key, and the remote server for our example server. Also personalize your username, of course. Unless you’re my evil twin. If the .ssh directory doesn’t yet exist on the remote server, you’ll get an error. Never fear, simply remove that portion of the path to copy it to your home. We’ll deal with that in our next step.

• Step Three: Add our public key to the authorized_keys file on the remote machine

For this step, open a session on the remote machine.

---


$ ssh server.example.com


---

And then, we add the key to authorized_keys and secure our .ssh subdirectory. Create .ssh if it does not yet exist.

---


$ cd .ssh
$ cat id_rsa.pub >> authorized_keys
$ rm id_rsa.pub
$ chmod 700 .
$ chmod 600 authorized_keys


---

Note: Some versions of OpenSSH will not allow passwordless authentication if permissions are too relaxed on the .sshdirectory or authorized_keys file. If this isn’t working for you, check permissions first.
That’s it! You should now be able to simply execute ssh server.example.com and have an open session with no password. If you’re still prompted for a password, here are some things to troubleshoot.

• Troubleshooting

I’m still prompted for a password!
Things to check:
- Did you enter a blank passphrase (hit enter) when you created your key?
- Does the server allow passwordless authentication? To check, look for these directives in /etc/ssh/sshd_config. This file may lay elsewhere on your filesystem, and you will probably need root access to view it.

---


PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys


---

– Are your permissions correct on .ssh and .ssh/authorized_keys? They should be 700 (-rwx——) for .ssh and 600 (-rw——-) for authorized_keys.
- Are you connecting as the same user on the remote machine? If not, simply substitute the remote user at the time you copy id_rsa.pub to the remote machine. Like so:

---


$ scp .ssh/id_rsa.pub otheruser@server.example.com:/home/otheruser/.ssh/


---

Questions? Comments?
A more in depth look at public key authentication can be found at this IBM resource.

Posted in blog entries