Unattended SSH login / public key authorization / ssh automatic login

By | 2007/02/05

There are those of us that do a lot of ssh during the course of a day. I know I do quite a bit for accessing my files from my office. In any event you’ll probably want to setup public key authentication which allows you to login via ssh without a password.

Of course this adds a level of convenience for you, but could be considered less-secure. While its difficult to spoof an rsa/dsa encryption key (probably more difficult than a simple password) anyone that has access to your machine would be able to access the remote machines via this authenticated key.

There are a few quick steps for setting this up that I’ll outline below.

First you’ll need to generate your local public key. This is the public end of a local public / private pair that you’ll share with the remote machine to identify you.

ssh-keygen -t dsa (on your local machine)

Second you’ll need to copy this key to the remote machine using a command such as:

scp ~/.ssh/id_dsa.pub [email protected]:~

Lastly, log into the remote machine via ssh (using your password for the last time!) and use this command to add the newly generated key to the list of authenticated keys:

cat id_dsa.pub >> .ssh/authorized_keys

You’ll also probably want to delete the original key as well.

rm id_dsa.pub

At this point a copy of your key is now stored on the remote machine as an authorized keys and any ssh connection coming from the local machine will match that key and connect with the key authentication instead of a password. So nice.

…just remember that anyone with access to your machine will now have this access as well. Definitely keep this in mind if you’re using any kind of a public machine.

22 thoughts on “Unattended SSH login / public key authorization / ssh automatic login

  1. Steve Dibb

    Actually, even with an SSH2 public key, they will still need your passphrase to login.

    If you want to make it more secure, you need to disable your SSH2 daemon to only accept public key authentication. By default it will use that first, and then fall back to password authentication if the first one fails.

    Reply
  2. Marius Gedminas

    Or set a passphrase on the SSH key, and then use ssh-add once per session to add it to ssh-agent, so that you don’t have to type it for every ssh invocation.

    (If SSH pubkey authentication fails, check the file and directory permissions. Your home directory must not be group-writable!)

    Reply
  3. Thom May

    a) if someone has access to your machine, you lose, whatever.
    b) ssh-copy-id
    c) what Marius said about keys.

    Reply
  4. Mark

    You should also have a look at “keychain”. It’s a wrapper for ssh-agent which allows you to supply a single passphrase then not have to enter another one until you’ve logged out and in again. The credentials are only cleared when you log in, so cron jobs can use ssh without supplying a password even when you’re logged out, but if someone logs in as you they’ll have to supply the passphrase before they (or cron) can use passwordless ssh again.

    Reply
  5. Pingback: Aaron Toponce » Blog Archive » SSH Key Authentication

  6. Pingback: » What You Ought To Know About Securing SSH Ubuntu Tutorials : Breezy - Dapper - Edgy - Feisty

  7. mazzeo,m

    hello- I use ssh-keygen and was given a series of options to choose from. I choose a few but none of them load. any suggestions..

    i.e.

    ssh-keygen (options)

    thanks!

    Reply
  8. Fernando

    Nice guide.

    however, I find some information is missing.

    What happens if I’m
    [email protected] in the local machine, but I want to log-in as “[email protected]” ?

    All the examples I’ve seen assume that username is the same on both the local system and the remote ssh system.

    Or isn’t that the case?

    Best
    FC

    Reply
  9. Kirrus

    Just apply the authoried key to whatever user you want to login as on the remote system, so for example, if I’m “Kirrus” on my machine, and I want to be “fred” on the remote machine, I’d do:
    scp ~/.ssh/id_dsa.pub [email protected]:/home/fred/

    Reply
  10. Len

    To actually log in on many linux systems you must include the private key when you invoke your ssh session:

    ssh -i ~/.ssh/publickeyname -X [email protected]

    The -i means include the key
    the ~ means find this in my home folder (typically /user/username)
    The .ssh is a hidden file that contains your keys after you generate them.
    The -X means transfer X windows to the new session and is optional. It allows you to run graphics or gui programs over the connection if you want to.
    The [email protected] is your user id on the remote system and the name of that system.
    /Len
    WT6G

    Reply
  11. Pablo

    Thanks, you’ve been very clear and your explanation very useful, thanks again.

    Reply
  12. lonny27

    I’m missing something here. If you’ve create a new key e.g. my_id / my_id.pub with no password set, you need to create a file ‘config’ in ~/.ssh to get this working (at least in 8.04, 8.10, 9.04)

    Host
    IdentityFile ~/.ssh/my_id

    where is this host you copied the public key to.

    Reply
  13. lonny27

    that dame thing swallowed the angle brackets…

    Host <hostname>
    IdentityFile ~/.ssh/my_id

    where <hostname> is this host you copied the public key to.

    Reply
  14. michiel

    I just like to add that your home directory on the remote machine (the SSH server) has to be at least as closed as chmod 755. In my case I did simply this and then everything finally worked (macosx client to Linux server):

    $ chmod 750

    Reply
  15. Daniel Wiltshire

    Great article, ran the commands on my Mac to connect to my Ubuntu Server. I will store the key on a flash drive so I can use it anywhere with the right utilities! Like the site, and the smiley face at the bottom left of site! 😛

    Reply
  16. Ken Gribble

    Marius Gedminas :Or set a passphrase on the SSH key, and then use ssh-add once per session to add it to ssh-agent, so that you don’t have to type it for every ssh invocation. …

    I agree with Marius. I’ve seen public keys with no passwords cause a world wide break-in on more than a dozen important machines. I always advise using a password, then some key management system like ssh-add.

    Reply
  17. oormazd

    i try it but it want me enter remote machine password yet!

    Reply
  18. suresh

    i follow above steps its works fine, but some of the system not working (asking password). please any one give me support

    Reply

Leave a Reply