SSH Without Prompts on the CS Linux Machines


This document briefly discusses setting things up so you can use ssh to remotely log in to the department's Linux machines without being prompted for a password. (Once you do this, you will also be able to use other SSH-based commands, such as scp, without being prompted.) It is not meant as a complete discussion of the various SSH authentication options!

Initial Setup

Generate a key for SSH with the following command:

ssh-keygen -t dsa

This command will prompt you for a filename and a ``passphrase''. You can just accept the default choice for the filename. The passphrase is one you will have to supply to use the key; this provides some extra security but also means you have to take additional steps to avoid being prompted for the passphrase rather than your password. A blank passphrase is probably adequate if you just want to use the key for logging in from one of the department machines to another. Some options if you want the additional security of a non-blank passphrase are discussed below.

Once you've run the command, you should have files $HOME/.ssh/id_dsa and $HOME/.ssh/ Add the new key to the list of authorized keys by editing file $HOME/.ssh/authorized_keys2 and inserting the text from $HOME/.ssh/ (as a separate line). (Note that filename authorized_keys2 is deprecated on recent builds, in favor of authorized_keys. A way to set things up that will work either way is to make a ``hard link'' to make either name reference the same file (ln authorized_keys2 authorized_keys).

Also verify that file/directory permissions are set appropriately: The .ssh directory and its contents should be accessible only to you (chmod -R go= ~/.ssh), and your home directory should not be group-writable (chmod g-w ~).

Testing and Troubleshooting

Check that everything is set up properly by using ssh to execute a simple command on another machine, e.g.,

ssh dias01 hostname

If everything is set up properly, the command will execute and you will not be prompted for a password. The first time you try this test for each machine, you'll get some messages ending with a prompt ``are you sure'' etc. Answer ``yes'', and the next time you should not be prompted, unless/until something on the target machine changes in a way that affects keys. If that happens, just answer ``yes'' again. If instead of the prompt you get error messages about authentication failure, try editing file .ssh/known_hosts and removing any lines containing the target machine name.

If you get a password prompt, check file/directory permissions as described above.

Using a Non-Blank Passphrase

Having a non-blank passphrase is arguably more secure, but would seem to defeat the purpose of all of this setup, since it appears to just replace the prompt for a password with a prompt for a passphrase. However, you can set things up so that authentication is done by a background process (an ``agent''), in which case you will only be prompted when you start the agent. The man page for ssh-agent will tell you more, though it's admittedly not the easiest reading.

Berna Massingill