SSH Without Prompts on the CS Linux Machines

This document briefly discusses setting things up so you can use ssh to remotely log in to the department's Linux machines without being prompted for a password, using SSH keys. (Once you do this, you will also be able to use other SSH-based commands, such as scp, without being prompted.) It is not meant as a complete discussion of the various SSH authentication options!

Initial Setup

Generate a key for SSH with the following command:

ssh-keygen
This command will prompt you for a filename and a “passphrase”. You can just accept the default choice for the filename. The passphrase is one you will have to supply to use the key; this provides some extra security but also means you have to take additional steps to avoid being prompted for the passphrase rather than your password. A blank passphrase is probably adequate if you just want to use the key for logging in from one of the department machines to another. Some options if you want the additional security of a non-blank passphrase are discussed later.

Once you've run the command, you should have files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. Add the new key to the list of authorized keys by editing file ~/.ssh/authorized_keys and inserting the text from ~/.ssh/id_rsa.pub (as a separate line). Note that older systems called this file authorized_keys2. A way to set things up that will work either way is to make a “hard link” that makes both names reference the same file:

cd ~/.ssh
ln authorized_keys authorized_keys2

Also verify that file/directory permissions are set appropriately: The .ssh directory and its contents should be accessible only to you, and your home directory should not be group-writable. You can do that like this:

chmod -R go= ~/.ssh
chmod g-w ~
NOTE that if you forget to do this, ssh will continue to prompt you for a password.

(It may be worth noting that in general to make this access work you need to copy the public key from the accessing machine to the accessed machine, but all of our machines share a common set of home directories, so it's enough to do this local copying. There's a command ssh-copy-id for the more general case.)

Testing and Troubleshooting

Check that everything is set up properly by using ssh to execute a simple command on another machine, e.g.,

ssh dias01 hostname
If everything is set up properly, the command will execute and you will not be prompted for a password. The first time you try this test for each machine, you'll get a somewhat alarming message, ending with a prompt “are you sure” etc. Answer “yes”, and the next time you should not be prompted, unless/until something on the target machine changes in a way that affects keys. If that happens, just answer “yes” again. If instead of the prompt you get error messages about authentication failure, try editing file .ssh/known_hosts and removing any lines containing the target machine name.

If you still get a password prompt, check file/directory permissions as described above.

Using a Non-Blank Passphrase

Having a non-blank passphrase is arguably more secure, but would seem to defeat the purpose of all of this setup, since it appears to just replace the prompt for a password with a prompt for a passphrase. However, you can set things up so that authentication is done by a background process (an “agent”), in which case you will only be prompted when you start the agent. A totally command-line-based option uses the command ssh-agent (more in its man page, though it's not the easiest reading). I believe there are GUI options as well but have not investigated.




2020-08-06