Password-less ssh Access
ssh to manage my OS X and Ubuntu machines. It's one of those things I
setup once when I build a new machine, but then don't think about too much and
often forget the steps to set it up correctly, so I thought I'd write it down.
The steps are pretty simple:
- create a key pair
- copy the key to the remote host
- create a "Host" alias for the remote host in your ssh config file (optional)
ssh Key Pair
You really only need to do this once and can copy the same public key to multiple hosts, but you can also create a separate key pair for each host if you prefer.
ssh-keygen to create the key. I typically use RSA which is the default
on most systems, but like to specify it explicitly just in case.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 60:d9:e3:8c:d9:e8:1e:17:78:42:3f:a1:e9:b6:de:06 user@host
The default location for the key files is in the
~/.ssh directory which will
be created if it doesn't already exist. The
id_rsa.pub file is the public
key. This is the file you will put on the remote hosts.
Copy the Public Key to the Remote Host
You need to copy the public key to the remote host so that the machine will
recognize the local host when it tries to open an
$ cat ~/.ssh/id_rsa.pub | ssh email@example.com 'cat >> ~/.ssh/authorized_keys' firstname.lastname@example.org's password:
This appends the public key to the list of authorized
ssh keys on the remote
host (creating the file if needed). Since the key isn't there yet, we are
prompted for the password. Once we run the command above, we can test it out
and should be able to connect without a password.
$ ssh email@example.com Linux remote.host 2.6.24-19-server #1 SMP Wed Jun 18 15:18:00 UTC 2008 i686 No mail. Last login: Tue Aug 11 21:14:41 2009 from my.local.isp $
Add an Alias for the Remote Host
With only one remote host, it's pretty easy to remember the
ssh command to
connect to it. But once you have many hosts, each with potentially different
user IDs and ssh ports, it can get confusing to remember the correct
parameters for each remote machine.
You can edit the
~/.ssh/config file and put host aliases in it with default
values that will be used when connecting to remote sites. You can even use
wild cards for host names to factor out common settings.
Host web User usr123 HostName www.catchy-domain-name.com Host svn User usr456 HostName svn.catchy-domain-name.com Host * Port 2992
So instead of connecting to the first host via
$ ssh -p 2992 firstname.lastname@example.org
we can just type
$ ssh web
sshd uses TCP port 22 for all connections. This makes it a common
target for hackers so it's wise to move it to a different port to make it a
little harder for malware to attack your machine. On the remote machine,
change the port definition in the
sshd config file.
$ sudo vi /etc/ssh/sshd_config # change line containing "Port = 22" to a number above 1023, # or add the line if it's missing $ sudo /etc/init.d/ssh restart
Now you'll need to use
ssh with the
-p option to specify the new port, or
define this in the
~/.ssh/config file as we did above.