David Avraamides Code and other geekery

Password-less ssh Access

I use ssh to manage my OS X and Ubuntu machines. It's one of those things I setup once when I build a new machine, but then don't think about too much and often forget the steps to set it up correctly, so I thought I'd write it down.

The steps are pretty simple:

  1. create a key pair
  2. copy the key to the remote host
  3. create a "Host" alias for the remote host in your ssh config file (optional)

Create the ssh Key Pair

You really only need to do this once and can copy the same public key to multiple hosts, but you can also create a separate key pair for each host if you prefer.

Use ssh-keygen to create the key. I typically use RSA which is the default on most systems, but like to specify it explicitly just in case.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
60:d9:e3:8c:d9:e8:1e:17:78:42:3f:a1:e9:b6:de:06 user@host

The default location for the key files is in the ~/.ssh directory which will be created if it doesn't already exist. The id_rsa.pub file is the public key. This is the file you will put on the remote hosts.

Copy the Public Key to the Remote Host

You need to copy the public key to the remote host so that the machine will recognize the local host when it tries to open an ssh connection.

$ cat ~/.ssh/id_rsa.pub | ssh user@remote.host 'cat >> ~/.ssh/authorized_keys'
user@remote.host's password:

This appends the public key to the list of authorized ssh keys on the remote host (creating the file if needed). Since the key isn't there yet, we are prompted for the password. Once we run the command above, we can test it out and should be able to connect without a password.

$ ssh user@remote.host
Linux remote.host 2.6.24-19-server #1 SMP Wed Jun 18 15:18:00 UTC 2008 i686
No mail.
Last login: Tue Aug 11 21:14:41 2009 from my.local.isp
$

Add an Alias for the Remote Host

With only one remote host, it's pretty easy to remember the ssh command to connect to it. But once you have many hosts, each with potentially different user IDs and ssh ports, it can get confusing to remember the correct parameters for each remote machine.

You can edit the ~/.ssh/config file and put host aliases in it with default values that will be used when connecting to remote sites. You can even use wild cards for host names to factor out common settings.

Host web
    User usr123
    HostName www.catchy-domain-name.com

Host svn
    User usr456
    HostName svn.catchy-domain-name.com

Host *
    Port 2992

So instead of connecting to the first host via

$ ssh -p 2992 usr123@www.catchy-domain-name.com

we can just type

$ ssh web

Changing the ssh Port

By default sshd uses TCP port 22 for all connections. This makes it a common target for hackers so it's wise to move it to a different port to make it a little harder for malware to attack your machine. On the remote machine, change the port definition in the sshd config file.

$ sudo vi /etc/ssh/sshd_config
# change line containing "Port = 22" to a number above 1023,
# or add the line if it's missing
$ sudo /etc/init.d/ssh restart

Now you'll need to use ssh with the -p option to specify the new port, or define this in the ~/.ssh/config file as we did above.


4 Comments

Posted by
John Moylan
Saturday September 19, 2009
4:33 p.m.

Hi David, This comment is not directly related to this post. I am looking for a copy of your Django getting things done code.

http://davidavraamides.net/blog/2006/07/27/getting-things-done-django-style-part-1/

Your SVN server is no longer accessible. Any chance you could send me a copy.

BTW. the comment preview is a nice idea.


Posted by
Bill Campbell
Friday November 13, 2009
11:56 a.m.

Awesome site. I am currently involved in the virtual world of Citrix. Any thoughts or ideas?

Also, I heard that the Hawks have a reasonable football team this year.


Posted by
metellius
Wednesday January 6, 2010
6:41 p.m.

The title of the post is rather wrong, I thought you were going to talk about letting people anonymously connect to your ssh-server, but instead you present an introduction to ssh passwordless authentication.

Also, in your second step I would rather use the ssh command specifically designed for copying over credentials:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote.host


Posted by
David Avraamides
Wednesday January 6, 2010
8:57 p.m.

@metellius: Fair point on the title. I'll think about renaming it to something like Passwordless ssh access.

Regarding ssh-copy-id, that's not included with OS X - my primary OS - and from what I understand, it's just a script that does something along the same lines.


  • Comments are moderated and will be visible after a short delay.
    Markdown allowed:
    _emphasized_, __strong__, [text](url), indent four spaces for code, begin code block with indented :::language for highligting (eg: bash, c, html, js, mysql, objc, python, html, ...)