In this article, I’ll explain how to perform ssh and scp without entering the password using the SSH Public Key authentication with SSH Agent on openSSH
There are two levels of security in the SSH key based authentication. In order for you to login, you need both the private key and the passphrase. Even if one of them is compromised, attacker still cannot login to your account, as both of them are needed to login. This is far better than typical password based authentication, where if the password is compromised, attacker can gain access to the system.
There are two ways to perform ssh and scp without entering the password:
- No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option.
- Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
Following 8 steps explains how to perform SSH and SCP from local-host to a remote-host without entering the password on openSSH system
1. Verify that local-host and remote-host is running openSSH
[local-host]$ ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 [remote-host]$ ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
2. Generate key-pair on the local-host using ssh-keygen
[local-host]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter> Enter passphrase (empty for no passphrase): <Enter your passphrase here> Enter same passphrase again:<Enter your passphrase again> Your identification has been saved in /home/jsmith/.ssh/id_rsa. Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub. The key fingerprint is: 31:3a:5d:dc:bc:81:81:71:be:31:2b:11:b8:e8:39:a0 jsmith@local-host
The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.
By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.
3. Install public key on the remote-host.
Copy the content of the public key from the local-host and paste it to the /home/jsmith/.ssh/authorized_keys on the remote-host. If the /home/jsmith/.ssh/authorized_keys already has some other public key, you can append this to the end of it. If the .ssh directory under your home directory on remote-host doesn’t exist, please create it.
[remote-host]$ vi ~/.ssh/authorized_keys
ssh-rsa ABIwAAAQEAzRPh9rWfjZ1+7Q369zsBEa7wS1RxzWR jsmith@local-host
In simple words, copy the local-host:/home/jsmith/.ssh/id_rsa.pub to remote-host:/home/jsmith/.ssh/authorized_keys
4. Give appropriate permission to the .ssh directory on the remote-host.
[remote-host]$ chmod 755 ~/.ssh
[remote-host]$ chmod 644 ~/.ssh/authorized_keys
5. Login from the local-host to remote-host using the SSH key authentication to verify whether it works properly.
[local-host]$ <You are on local-host here> [local-host]$ ssh -l jsmith remote-host
Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here>
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail. [remote-host]$ <You are on remote-host here>
6. Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.
Verify whether SSH agent is already running, if not start it as shown below.
[local-host]$ ps -ef | grep ssh-agent
511 9789 9425 0 00:05 pts/1 00:00:00 grep ssh-agent
[local-host]$ ssh-agent $SHELL
[local-host]$ ps -ef | grep ssh-agent
511 9791 9790 0 00:05 ? 00:00:00 ssh-agent /bin/bash
511 9793 9790 0 00:05 pts/1 00:00:00 grep ssh-agent
7. Load the private key to the SSH agent on the local-host.
[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa: <Enter your passphrase here>
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)
Following are the different options available in the ssh-add:
- ssh-add <key-file-name>: Load a specific key file.
- ssh-add -l: List all the key loaded in the ssh agent.
- ssh-add -d <key-file-name>: Delete a specificy key from the ssh agent
- ssh-add -D: Delete all key
8. Perform SSH or SCP to remote-home from local-host without entering the password.
[local-host]$<You are on local-host here> [local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>
Help me spread the news about The Geek Stuff.
Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can spread the word around about “The Geek Stuff” blog by adding it to del.icio.us or Digg through the link below.
If you enjoyed this article, you might also like..
|
|
|
|
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
{ 11 comments… read them below or add one }
The permissions of .ssh should not be 755 and 644 for authentication_keys
It should be 700 and 600.
Step 4 refers to a file named “authorized_key” (“chmod 644 ~/.ssh/authorized_key”). It should be “authorized_keys” instead of “authorized_key”.
Jeremy,
Thanks for pointing it out. I had it correct on step#3 and made a typo on step#4.
I have corrected step#4 properly now.
Thank you so much for the information. I got it…!!!!!!!!
Thank you. I was not sure if this would apply to my ubuntu system on my netbook but it worked flawlessly.
I did everything as mentioned above. But unable to perform scp or ssh without a password prompt.
Thanks for the stuff, did just as you exlpained
Thanks for the notes on how to get ssh-agent up and running. Good concise info. All worked as expected after I followed along with this article.
Thanks!
Most excellent article. Clear, concise, and to the point. It works on AIX and OpenSSH versions 0.9.8g and 1.0.0a. Thanks!
Thanks..
Good Stuff, it’s worked me..
Hi,
Awesome explaination…I have a doubt…..after connecting to remote host is there any way to come back to the localhost through any command instead of opening a new session.