Passwordless SSH

Passwordless SSH can be accomplished using SSH's public key authentication. To configure passwordless SSH, follow the directions below. Warning: passwordless SSH will make your systems less secure. If you are comfortable with that, the directions below will walk you through server and client configurations. Then, I'll show you how to debug SSH if you encounter problems.

SSHD Server Configuration

First, you must ensure that your SSHD server allows for passwordless authentication using public keys. If you do not have root access to the server, do not worry. By default, public key authentication over protocol 2 is enabled. Skip this step. If you have any problems, contact your System Administrator.

If you have root privileges, edit your system's /etc/ssh/sshd_config and apply the following settings. I suggest you disable protocol 1 RSA key based authentication and leave all other settings alone for now. Visit the man page SSHD_CONFIG(5) for details.

# Disable protocol 1 RSA key based authentication RSAAuthentication no # Protocol 2 public key based authentication PubkeyAuthentication yes # Authorized public keys file AuthorizedKeysFile .ssh/authorized_keys

If you make any changes, save them and restart your SSH server.

service sshd restart

SSH Client Configuration

Now that the server is configured, log into your client system and examine /etc/ssh/ssh_config. This is the SSH client configuration file and you do not need to edit it.

less /etc/ssh/ssh_config

By default, public key authentication over protocol 2 is enabled for clients. You only need to make sure that it is not disabled. If it is, create an ~/.ssh/config to override the /etc/ssh/ssh_config options.

cp -a /etc/ssh/ssh_config ~/.ssh/config

Then edit it and add this to the "Host *" block:

PubkeyAuthentication yes

Create Client Key

With the client in order, you need to create a public and private key pair. The following command will build a DSA key pair. Hit for all questions asked. This will create a DSA key pair in ~/.ssh/. The private key is called id_dsa and the public key is id_dsa.pub.

ssh-keygen -t dsa

Use Key for Authentication

Now that you have a public and private key pair, put the public key on the server you wish to log into without a password. You will need to put the public key inside the server's /home/user/.ssh/authorized_keys file. This file can contain multiple keys, so you generally do not want to just copy over it. Note that the authorized_keys2 file was deprecated in OpenSSH 3.0 (2001).

cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

Alternatively, modern releases of SSH have a command to help you copy keys.

ssh-copy-id -i ~/.ssh/id_dsa.pub user@server

Test and Debug SSH

Now, test.

ssh username@server date

If you get prompted for a password, check the server's system logs for clues. You can also enable debugging in /etc/ssh/sshd_config with the following directive.

LogLevel DEBUG

Other options are INFO, VERBOSE, DEBUG2 and DEBUG3. See the man page SSHD_CONFIG(5) for details. For the client, the exact same option can be placed inside a /etc/ssh/ssh_config's Host block. See SSH_CONFIG(5) for client debugging details.

man 5 sshd_config man 5 ssh_config

Comments

Thu, 03/11/2010 - 12:03pm — james lee (not verified)

I love to use SSH for a lot

I love to use SSH for a lot of things. You just have to worry about the security. I have run into issue with it.
boca raton cosmetic sedation dentist

Thu, 03/11/2010 - 1:20am — Webthesurfi Rugs Webdesign (not verified)

I think this is safe.

I think this is safe. BEsides it helps a lot too.

Wed, 03/10/2010 - 7:29pm — Anonymous (not verified)

Wholesale cheap Replica

Wholesale cheap Replica Handbags in Fake Handbags online store, such as Louis Vuitton Handbags, free shipping all the high quality Replica Louis Vuitton Handbags in China, welcome to join us.
In 2010, many people like to buy Louis Vuitton Handbags, but the price is too high, so they have to accept the Replica Louis Vuitton Handbags, so in cities, there are lots of Fake Louis Vuitton Handbags shops. Even the highest price of Louis Vuitton Replica Handbags are lower than the real one.
Tom open a GUCCI Handbags store, but he usually sale the GUCCI Replica Handbags, all the replica GUCCI Handbags are 80% off on sale, so many fashion women like to buying fake GUCCI Handbags in there.

Tue, 03/09/2010 - 11:58pm — replica handbags (not verified)

Miu miu Handbags

Tue, 03/09/2010 - 10:59pm — Webthesurfi Rugs Webdesign (not verified)

Is this safe to have

Is this safe to have passwordless SSH?

Mon, 03/08/2010 - 5:31am — dropshippingwatch (not verified)

fake Alain Silberstein

fake Alain Silberstein watches
Audemars Piguet Watches
replica Audemars Piguet Watches
fake Audemars Piguet Watches
B.R.M Watches
replica B.R.M Watches
Chopard Watches
replica Chopard Watches
fake Chopard Watches
Christian Dior watches
Rolex Yachtmaster
replica Rolex Yachtmaster
fake Rolex Yachtmaster
A.Lange & Sohne watches
replica A.Lange & Sohne watches
fake A.Lange & Sohne watches
Alain Silberstein watches
replica Alain Silberstein watches
fake Alain Silberstein watches
Audemars Piguet Watches
replica Audemars Piguet Watches
fake Audemars Piguet Watches
B.R.M Watches
replica B.R.M Watches
Chopard Watches
replica Chopard Watches
fake Chopard Watches
Christian Dior watches
replica Corum Watches
fake Corum Watches

Sat, 03/06/2010 - 6:27pm — replicahandbag (not verified)

As everyone knows that the

As everyone knows that the Chanel Handbags are popular in the whole world, sell replica Chanel Handbags can get more profit, many people like to sell chanel bags because fashion women love them.
Taking the Prada Handbags to join the big party can show women's fashion, so even the poor people like to buy replica Prada Handbags, so when you walk on the road, you never surprised by so much fake Prada Handbags, do you feel have a Prada replica Handbags is a cool action?
Fashion women love Miu Miu Handbgs, but the price is to high, so many ladies choose Miu Miu replica Handbgs, in the replica Miu Miu Handbgs shops, you will get the popular fake Miu Miu Handbgs that you love.

Sat, 03/06/2010 - 6:16pm — replicahandbag (not verified)

The best GUCC Fashion women

The best GUCC Fashion women love Miu Miu Handbgs, but the price is to high, so many ladies choose Miu Miu replica Handbgs, in the replica Miu Miu Handbgs shops, you will get the popular fake Miu Miu Handbgs that you love.
always provide GUCCI Replica Handbags, and all kinds of replica GUCCI Handbags lower price for sale, the more fake GUCCI Handbags you choose, the cheaper price you get.
As everyone knows that the Chanel Handbags are popular in the whole world, sell replica Chanel Handbags can get more profit, many people like to sell chanel bags because fashion women love them.
Taking the

Mon, 03/01/2010 - 7:40am — replica handbags (not verified)

Balenciaga Handbags replica

Balenciaga Handbags
replica Balenciaga Handbags
fake Balenciaga Handbags
Balenciaga replica Handbags

Sun, 02/28/2010 - 9:04pm — dropshippingwatch (not verified)

rolex Watch replica rolex

rolex Watch
replica rolex watch
fake rolex watch
Rolex Air King Watches

Wed, 02/24/2010 - 1:31am — webthesurfi rugs webdesign (not verified)

# Disable protocol 1 RSA key

# Disable protocol 1 RSA key based authentication
RSAAuthentication no
# Protocol 2 public key based authentication
PubkeyAuthentication yes
# Authorized public keys file
AuthorizedKeysFile .ssh/authorized_keys

Sat, 06/20/2009 - 12:47am — ankur pachauri (not verified)

instead of dsa use rsa

instead of dsa use rsa method
steps are:.......

1. > ssh-keygen -t rsa

When asked for a passphrase, leave it blank, press enter to continue.

This will create 2 files in your $(HOME)/.ssh directory: id_rsa and id_rsa.pub. They are the public and private rsa keys.

2. Rename the newly created id_rsa.pub to authorized_keys in the $(HOME)/.ssh directory.

You should now be able to ssh into the local machine without having to provide a password.

Run the above two commands on each machine in the cluster. Copy the contents (not the actual file) of the id_rsa.pub file to the authorized_keys file on the master (or first machine) you ran these commands on. You should now have an authorized_keys file that contains the key from each machine.

Copy this file to $(HOME)/.ssh to each node in the cluster. Every node should now be able to ssh into every other node (including itself) without prompting for a password.

original link is :
http://markmail.org/message/tzeod353nyo327lh

Thu, 04/16/2009 - 1:35am — ankur pachauri (not verified)

i have done uptill the

i have done uptill the step

LogLevel DEBUG

but ultimately that's not working

Fri, 01/16/2009 - 8:53am — Jeff McCune (not verified)

Your statement, "Warning:

Your statement, "Warning: passwordless SSH will make your systems less secure." is not necessarily correct. SSH public key authentication will increase security when used correctly. The risk of obtaining access through a key logger is reduced, as is over-the-shoulder observation of your password as it's entered.

Mon, 01/19/2009 - 5:03am — Anonymous (not verified)

It's dangerous because of

It's dangerous because of implicit trust. If the local workstation user account is compromised, all remotes are compromised as well.

Mon, 02/08/2010 - 3:18pm — Guille (not verified)

That happens only if you

That happens only if you left passwordless your private key. That's why it always should be used a passphrase when you create the key par. If it turns out annoying to be typing your passphrase each time you wanna login into a server, you can load it to the memory with the command ssh-add. Once in memory, when you connect to a remote server it may seems you're connecting without any authentication, but now we know that's not true. This "ssh-add" works only if you type it when you're logged localy, and the passphrase (of course) remains only in memory during the current session.

HACKTUX notes from the trenches

Recent Posts