Learn the UNIX/Linux command line

Setting up SSH keys for access without a password

If you manage more than one or two hosts, you likely have to type the same password too often. This can get quite annoying. SSH allows you to setup a public and private keypair. Using these keys, you can connect to any host which has the public key, from any host which has the private key, typing your password only once.

The first thing you must do is generate a keypair. You should be able to do this with the command ssh-keygen -t rsa. I did so below, choosing all the defaults and entering my chosen passphrase:

[email protected]:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/brock/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/brock/.ssh/id_rsa.
Your public key has been saved in /home/brock/.ssh/id_rsa.pub.
The key fingerprint is:
25:27:12:0c:90:0f:9c:c7:c7:a0:63:3d:4b:d9:da:5c

The private key is in a file named id_rsa, the public key is named id_rsa.pub. Both files are stored in the .ssh directory, inside my home directory, or ~/.ssh

[email protected]:~$ ls -l ~/.ssh/
total 3
-rw------- 1 brock brock 951 Dec 3 12:04 id_rsa
-rw-r--r-- 1 brock brock 222 Dec 3 12:04 id_rsa.pub
-rw-r--r-- 1 brock brock 540 Sep 22 15:37 known_hosts

Now all we have to do is install the public key. First, I am going to install it on the host which I generated the key. (Its not installed automatically, even on the host you create it on.) All I need to do is go into the ~/.ssh/ directory and create a file called authorized_keys, with the contents of the public key, id_rsa.pub.

[email protected]:~$ cd ~/.ssh/
[email protected]:~/.ssh$ cat id_rsa.pub > authorized_keys
[email protected]:~/.ssh$ chmod 600 authorized_keys

As you can see below, I am now able to use the key. It asks me for a passphrase every time I login. (Note that the passphrase is NOT the users password. The passphrase is whatever you entered when you generated the key.) We will eliminate down the page a few paragraphs.

[email protected]:~/.ssh$ ssh [email protected]
Enter passphrase for key '/home/brock/.ssh/id_rsa':
Last login: Sun Dec 3 11:53:26 2006 from 194.178.109.250
[email protected]:~$ exit
logout
Connection to www closed.

If your comfortable installing the key, skip to the next paragraph. I am now going to install the key on a remote host. If the command below looks daunting, read the following articles Run Remote Commands with SSH and Standard Error and Standard Out .

[email protected]:~/.ssh$ cat id_rsa.pub | ssh mysql105 'cd .ssh; cat >> authorized_keys; chmod 600 authorized_keys'
[email protected]'s password:

Note: if the .ssh directory does not exist, you may need to add “test -d .ssh || mkdir .ssh && chmod 700 .ssh” to your command.

You can use ssh-agent to startup a process which will store your key while logged in. This allows you to type the password to a key once, at login. After this, ssh will communicate with the ssh-agent to obtain the credentials needed. Below is a manual example.

[email protected]:~/.ssh$ eval `ssh-agent`
Agent pid 11692
[email protected]:~/.ssh$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/brock/.ssh/id_rsa:
Identity added: /home/brock/.ssh/id_rsa (/home/brock/.ssh/id_rsa)
[email protected]:~/.ssh$ ssh mysql105
Last login: Sun Dec 3 12:07:16 2006 from 194.178.109.250
[email protected]:~$ exit
logout
Connection to mysql105 closed.

A more useful method is to have it startup when you login and die when you logout. The following code can be placed in your .bash_profile to achieve this:

if [ -z "$SSH_AUTH_SOCK" ]; then
eval `ssh-agent`
trap "kill $SSH_AGENT_PID" 0
fi