Avoiding SSH password authentication with secure keys
My last post was quite controversial as I wrote about an authentication form using the password on the command line. Today I’ll be writing about how to login without password prompting but also about ssh-agent, secure RSA keys and how to execute remote commands with ssh.
First of all you need to generate a RSA key:
ssh-keygen -t rsa
accept the default location, and then protect the certificate with a password.
By now in your $HOME/.ssh folder you have at least these two files id_rsa.pub and id_rsa. The .pub file is the file that contains your public RSA key part, as the name says it’s public and you can use it to authenticate with remote hosts, the id_rsa file is the private part of your key and no1 else besides you should have access to it. Nevertheless we also protect the key with a password so if someone access it it won’t be a big problem.
Now, to use the “passwordless” authentication you need to copy the content of id_rsa.pub to the $HOME/.ssh/authorized_keys on the remote machine, if the file doesn’t exists please create it before.
If you want do this in a simple command line just type the following:
cat $HOME/.ssh/id_rsa.pub | ssh YOUR_USER@REMOTE_SERVER “cat >> ./ssh/authorized_keys”
It will ask you the password just the first time. And your done.
But now every time you use the certificate it will ask you for the certificate password not the user at server one (and this because you protected your certificate, if you didn’t protect it you would be logged in by now).
If you want a totally automated process you can use ssh-agent. This way you’ll be able to put your certificate password only one time (for instance at session start) and use it when logged in.
To use ssh-agent just do the following:
cp /etc/X11/xdm/sys.xsession ~/.xsession
edit the .xsession file so some variables look like the following:
usessh=”yes”
sshagent=”yes”
now you need to reset your X (just logout and login).
Now to use ssh-agent and having your certificate available just type:
ssh-add
This will ask you for your certificate password and now you may use it for login into remote servers without using passwords anymore (until the next logout or shutdown).
Cheers,
Pedro Oliveira