SSH login without password (authorized_keys)
I know that a lot of people covered this in the past but, since I also use this blog as a vault for tips that I might forget in the future, here’s how to make ssh not require you to enter a password when connecting to another machine:
Step 1: Generate your public and private ssh keys on the client computer (the one you are accessing FROM):
- Run the ssh-agent command. This will print out a bunch of information like the SSH agent connect socket and process id. You don’t need to know any of it, thankfully
- Run the ssh-keygen command. It will ask you for a passphrase for your key file. According to the MAN documentation for ssh-keygen, host keys must have an empty passphrase, so just leave it blank (i.e. press enter twice) for no passphrase. Read the update below, about the passphrase.
Here’s an example of the commands and their output so far:
void@localhost:~$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-RAMZT14968/agent.14968; export SSH_AUTH_SOCK; SSH_AGENT_PID=14969; export SSH_AGENT_PID; echo Agent pid 14969; void@localhost:/~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/void/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/void/.ssh/id_rsa. Your public key has been saved in /home/void/.ssh/id_rsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx void@localhost The key's randomart image is: +--[ RSA 2048]----+ | | | x x | | x x | | x x | | . x xx | | x x x | | x x x | | xxx.. | | xxxxxx | +-----------------+
The key’s fingerprint and randomart image will be different, of course, but it’s not really that relevant anyways.
Step 2: Now, the previous command will generate a couple of files under /home/<your_username>/.ssh. They are the public and private key files. The one you are interested in is the public one. If you do a cat ~/.ssh/id_rsa.pub you will see something like this:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuqjnglf3wVE0wlLf3VJBIGVN6oZiPARy0oyJnCYtjd2No+kvaExR60cC5f7EvqHPeKiyQd4VBxZixta5R0ilX6wxhNqmI/J1vbXrlZqwe4Iewjd9p0cMlu5qdEzeFs1ImDWbfRl8W5hv5jV4AelIMPYg3FeOnEPM21wQgZb12Z+C+So6mFsHmxtz7b33JyqFXE45t0qscJwPYVBkYAFJFvO20ZgtqUer7/AnSEN+p3gP0ATbIzROR4r3C1gtqykIpQmdTKkbZWWP3OOAwDuLfyMYwNir8FFK7/VALPH2pb79ogaiEMNB71teoktXshiM1/h1shdwtXZcBAjweUgj6w== void@localhost
Step 3: This is your public key. Copy this string into a file called ~/.ssh/authorized_keys in the machine you want to connect to. The file might or not exist. If it doesn’t, create it and add that line to it. If it already exists, just append that line to the rest of the others in there (if any). Those are just keys of other people that also accesses the machine.
Step 4: Log out of the target machine and try to ssh again. It should no longer ask you for a password
UPDATE: As a lot of people pointed out some things that were wrong/poorly explained, here’s an update:
- There is a nicer way of doing all of this:
- Use ssh-keygen to generate the key
- Use a very handy script (available in most distributions) to copy the key and append it to authorized_keys automatically: ssh-copy-id user@host. If you are running sshd in a different port you can do it like so: ssh-copy-id ‘user@host -p1337′
- In case your OS does not have this script, you can get it here.
- Always use a passphrase when generating the key. Read this comment thread for more info.
- A lot of newer systems prefer SSH2. On key generation do ssh-keygen -t dsa. The only (superficial) difference is that the public key will be called id_dsa.pub, instead of id_rsa.pub. Actually SSH2 already supports RSA, so ignore that and go with the default
. Apparently there are some reasons why you would want to go with RSA (default) in the first place.
- In order for not having to enter your passphrase every time you connect, make sure the ssh-agent is running and do an ssh-add to add your key to it. That way you don’t need to enter your passphrase anymore for the duration of that session.
- For a more in-depth article on SSH, check this out.
Related:
- Java Web Start (jnlp) simple example One of my current projects requires me to deliver a...
- Android location provider mock So, yeah, I resumed playing around with android, this time...
Categorised as: computers, software development, tips
It's nice to know some nifty little tricks where you can use the SSH paswordless login. Check this article for a few: http://www.docplanet.org/linux/ssh-login-without-…
Hi,
I am not able to login without a password. It still asks me for one. I have followed the exact steps you have told to do.
My client ssh version is
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
My server ssh version is
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
The keys match perfectly on the client and the server machines.
I dont known if i am missing something.
Thanks in advance
Have you tried using the ssh-copy-id script after generating the key with ssh-keygen?
I’m guessing that way will be less error-prone
You can get the script here: http://www.chiark.greenend.org.uk/ucgi/~cjwatson/cvsweb/~checkout~/openssh/contrib/ssh-copy-id?rev=1.8;content-type=text%2Fplain
Let me know,
Pedro
On Ubuntu, if you use your login password as your key passphrase, you won’t need to load ssh-agent or the key as it will automatically do it for you.
Good to know, thanks!
I guess it’s distro-specific when ssh-agent is started, so I don’t know.
As for the DSA-key instead of the RSA-key as you wrote in the update: I think that is old advice. SSH2 now also supports RSA. It may even be the preferred choice.
@yungchin: Cool, even better, less to type
A lot of newer systems prefer SSH2 instead of SSH(1).
So in step 1, instead type:
ssh-keygen -t dsa
Then in step 2, it wil be called id_dsa.pub (instead of id_rsa.pub)
Other than that, no difference except SSH2 is recommended, so might as well use it.
@Derek: Cool, thanks for the tip
I found that I need to type ‘ssh-agent bash’ on Ubuntu, before connecting using ssh
@Tom: That is a bit strange. On Ubuntu (or OSX) I never had those problems
Actually, you do want to include a passphrase on your ssh key; the “host key” referred to in the manpage is the pub/priv keypair that lives at /etc/ssh/ and the server uses to identify itself to clients, not your personal keypair [1]. Of course, in adding a passphrase, you’ll have to input it each time you use the key (connect to the remote host) unless you use something like ssh-agent+keychain [2].
[1] http://www.securityfocus.com/infocus/1806
[2] http://www.gentoo.org/proj/en/keychain/
@nogoma: Thanks for the clarification. I thought they meant the host you are connecting to. But I think I always leave it without so I don’t have to type anything
Forgot to mention that you might like this: I always go back to these notes for ssh stuff.
@yungchin: Cool thanks. It’s always good to have this stuff handy
“…According to the MAN documentation for ssh-keygen, host keys must have an empty passphrase, so just leave it blank…”
Actually, this is not a host key you’re generating, it’s a client key (you use it to log into a host). You’re better off using a non-empty passphrase, as an extra barrier to misuse in case you lose the private-key file.
You would only have to type the passphrase very seldomly – that’s what ssh-agent is for.
@yungchin: I see, but is the ssh-agent running on startup by default then? Because some people complain that they need to start ssh-agent by hand sometimes