How to guide to perform ssh and scp without entering the password using the SSH Public Key authentication.
There are two levels of security in the SSH key based authentication. In order for you to login, you need both the private key and the pass phrase. Even if one of them is compromised, attacker still cannot login to your account, as both of them are needed to login. This is far better than typical password based authentication, where if the password is compromised, attacker can gain access to the system.
There are two ways to perform ssh and scp without entering the password:
- No pass phrase. While creating key pair, leave the pass phrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option.
- Use pass phrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password every time you perform ssh or scp, I don’t recommend the previous option (no pass phrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the pass phrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password every time as explained in the steps below.
Following 3 steps explains how to perform SSH and SCP from local-host to a remote-host without entering the password on openSSH system
ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.
Step 1: Create public and private keys using ssh-key-gen on local-host
sajan@sajan-desktop:~$ [Note: its localhost] sajan@sajan-desktop:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/sajan/.ssh/id_rsa):[Press Enter key] Enter passphrase (empty for no passphrase): [Press Enter key] Enter same passphrase again: [Pess Enter key] Your identification has been saved in /home/sajan/.ssh/id_rsa. Your public key has been saved in /home/sajan/.ssh/id_rsa.pub. The key fingerprint is: 33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 sajan@local-host
Step 2: Copy the public key to remote-host using ssh-copy-id
sajan@sajan-desktop:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host
sajan@remote-host’s password:
Now try logging into the machine, with “ssh ‘remote-host’”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys.
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
Step 3: Login to remote-host without entering the password
sajan@sajan-desktop:~$ ssh remote-host Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2 [Note: SSH did not ask for password.] sajan@sajan-desktop:~$ [Note: its remote host]
The above 3 simple steps should get the job done in most cases.
No comments:
Post a Comment