Automated SSH login

  1. Purpose: enable secure access to remote host without interactively prompting for a password/passphrase, so can use SSH in automatic scripts but without storing the password in them.
  2. Server authentication
    1. .rhosts ?
    2. ~/.ssh/known_hosts
  3. Client authorization
    1. Generate a key pair for the user:$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/toolate/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/toolate/.ssh/id_rsa. Your public key has been saved in /home/toolate/.ssh/id_rsa.pub. The key fingerprint is: d7:71:42:51:73:94:75:a7:08:79:af:6d:fb:19:5c:19 toolate@yoga
    2. Add the public key to the list of authorized users of account on server (~/.ssh/authorized_keys):$ ssh-copy-id -i ~/.ssh/id_rsa.pub jade@forest jade@forest's password: Now try logging into the machine, with "ssh 'jade@forest'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.

      This added a single (long) line to jade's ~/.ssh/authorized_keys:

      ssh-rsa AAAAB3NbtC1xc2EAAAABIwAAAQEA+JEc...9HFsoGtEFBk/p19O74CRt+w== toolate@yoga
    3. Verification: now can login or run commands without being asked for jade's password:$ ssh friend@feast uptime 15:05:32 up 12 days, 2:44, 1 user, load average: 0.00, 0.00, 0.00

Notes

  1. More…
    1. Permissions?
    2. sshd configuration options?
    3. Use a passphrase and ssh_agent? To improve security?
  2. OpenSSH version used here:$ ssh -V OpenSSH_4.3p2 Debian-8ubuntu1.4, OpenSSL 0.9.8c 05 Sep 2006

    Code:

    apt-get source openssh
  3. Use RSA, not DSA, keys, because longer (by default). Cf, eg, discussion in linuxforums.org.
  4. References:
    1. http://www.debian-administration.org/articles/152

(Appending notes disabled temporarily.)


Last modified 2009-08-17 13:55:36 +0000