Using SSH for passwordless remote login
Secure Shell or SSH is a network protocol allowing secure data exchanges between two networked devices. It is designed to replace Telnet, which sends information over the network in plain text making it susceptible to interception or eavesdropping. SSH, on the other hand, provides secure communication by encrypting the data sent over the network. It is typically used to login to a remote computer and to execute commands remotely. Aside from this, SSH can also be used to securely transfer files using scp or sftp, forward TCP ports, SSH tunneling, among others.
Here, I will outline how to use SSH for passwordless remote login. Of course, this is far from being complete and some of the things below may not work perfectly with your setup. There are many howtos regarding this topic and you should be able to find the one that is appropriate for your system.
Generating key pairs
SSH uses public-key cryptography to authenticate remote computers. In this form of cryptography, a user has a public key, which can be widely distributed, and a private key, which should be kept secret. Before you can use SSH, you will need to generate this key pair. You can do this using ssh-keygen, as follows.
[baggy@mycomp] ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baggy/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/baggy/.ssh/id_rsa
Your public key has been saved in /home/baggy/.ssh/id_rsa.pub
The key fingerprint is:
SHA256: XXXXXXXX baggy@mycomp
The key:s randomart image is:
(some random art)
[baggy@mycomp]
When you are asked to enter the file where the key will be saved (line 3), just press enter to accept the default location. Note that in the above, a passphrase refers to a string of words and characters that will be used to authenticate you when you want to use your ssh identification. It differs from a password in that you can use spaces or tabs and it is also usually longer. Generally, it is a phrase and not just a single word. For empty passphrase, just press enter in lines 4 and 5.
To generate different types of key pairs such as DSA or RSA, you can use the -t option of ssh-keygen. For example, the command should be ssh-keygen -t dsa to generate a DSA key pair. After generating your key pair, you’ll need to install your public key to the remote systems you are planning to connect.
Installing the public key to the remote machine
To install your public key, you can use ssh-copy-id if this command is available.
baggy@mycomp:~$ ssh-copy-id baggy@remote.machine.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baggy/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
baggy@remote.machine.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'baggy@remote.machine.com'"
and check to make sure that only the key(s) you wanted were added.
Replace baggy@remote.machine.com with your actual username and the hostname of the remote machine. You will be asked to provide your password at the remote machine (line 5). Enter your password to complete the process. If ssh-copy-id is not available, you can use scp to copy your public key file to the remote computer, then add this file to authorized_keys file in your home directory’s .ssh subdirectory.
You can now try connecting to your remote system using the following:
[baggy@mycomp] ssh baggy@remote.machine.com
Enter passphrase for key '/home/baggy/.ssh/id_rsa':
Last login: Tue Aug 18 08:08:08 from mycomp.localmachine.com
[baggy@remote]
As you might have noticed, instead of asking for the password of the remote machine, SSH asked the passphrase of your SSH identity. The advantage of this over using a password is that the passphrase is never transmitted over the network making the approach safer. If SSH still asks for a password, verify your remote system’s sshd configuration and make sure that RSA/DSA authentication is enabled. If you did not provide a passphrase when you generated the keys, you will be automatically logged in to the remote machine.
If you do, you are still required to type your passphrase. The password is just being replaced by the passphrase, sort of. So is there a way to do away with the passphrase also? Fortunately, the answer is yes and that is by using ssh-agent.
Using ssh-agent
ssh-agent is part of the OpenSSH package to manage RSA and DSA keys. It is a long running daemon designed to cache your decrypted keys so that SSH can communicate with it and use the cached keys without prompting you for a passphrase every time you make a remote connection. To add an identity managed by an ssh-agent, you can use ssh-add.
There are many ways to use ssh-agent. For me, since I only use it in a single shell, I just use the following:
[baggy@mycomp] ssh-agent /bin/bash
[baggy@mycomp] ssh-add
Enter passphrase for /home/baggy/.ssh/id_rsa:
Identity added: /home/baggy/.ssh/id_rsa (/home/baggy/.ssh/id_rsa)
[baggy@mycomp]
When running ssh-add, you will be asked for your passphrase (line 3). Enter your passphrase. Within this shell, you can now remote login or run commands remotely without being prompted for a passphrase.