SSH Without Password

This how-to will show you how to use certificates to log on to a remote host using SSH. When you use certificates for authentication, no password will be required.

Index

Who Am I

My name is Peter, and I am a system administrator at my local hospital. I have been working as a system administrator since 2003. All the servers at our department are running Linux, either Red Hat (mostly 7.x or 9.x) or Fedora Core. When not maintaining the servers, I write software for our department, mostly in C, C++, and PHP.

I have no special skills using SSH, except that I use it every day, and now and then need to access a few of the special features, like passwordless logon.

You can contact me by e-mail

Why I Wrote This HowTo

There are tons of how-tos on this subject available on the net. Many of them are well written but most (I have found) have one problem. They do not explain which computer should contain which key, and as I keep forgetting this, I have to search the web for too long, every time I need to set up a passwordless ssh connection.

By writing this howto I will always know where to find the info, and where to find the info presented in a way I want it. With a bit of luck, it might even help me to remember how to set up passwordless ssh. And if I am really lucky, it might help others, too.

Why Anyone Wants Passwordless SSH

As I am sure you already know, SSH can be used to log on to a remote computer. A remote login requires you to have an account on the remote computer, and at login you must give a valid username and password. This is very well, as it keeps out intruders.

Sometimes you need to be able to access a remote computer by a shell script, for instance when transfering files to the remote computer as part of shell script run by the cron demon. In this use it can be difficult to type a password, and worse, if you manage to type the password somehow (by the use of an expect script), you will have to store the password in clear text, which is very, very bad practice, and should be avoided at all costs.

When Not To Use Passwordless SSH

While you could use certificates to avoid the inconvinience of having to type a password every time you need to log on to a remote host, I think this should be avoided. If someone gains access to your computer, they will have access to every computer which allow a passwordless connection, from that computer.

How To...

You have two computers, a client you want to run the SSH from, and a server you want to SSH to. Say I want to be able to make a passwordless ssh from my workstation, Albert, to a server, Bohr.

On Albert, the workstation, open a terminal and type

albert$ ssh-keygen -t dsa

Leave the passphrase empty by pressing enter, twice.
Now I have two new files in the directory /home/my_username/.ssh, id_dsa and id_dsa.pub. This is you SSH-public and private keys.
Now you need to add your newly created public key to the authorized_keys file on the remote host, Bohr.

First copy the id_dsa.pub file to Bohr

albert$ scp /home/my_username/.ssh/id_rsa.pub bohr.physics.org:

Enter your password on bohr (for the second to last time).
Now we need to log on to bohr, to enable the passwordless login.

albert$ ssh bohr.physics.org

Enter your password on bohr (for the last time).
Now, append the key you uploaded to the file /home/my_username/.ssh/authorized_keys

bohr$ cat id_dsa.pub >> /home/my_username/.ssh/authorized_keys

Logout of Bohr. You will now be back on Albert. Log on to Bohr again, using ssh, to make sure the the passwordless logon works.

albert$ ssh bohr.physics.org

If everyting works, you have now logged on to Bohr, without typing your password. If you can not log on, or is asked for your password you have to go through troubleyshooting. Good luck!

If It Does Not Work

I have encountered a few problems with passwordless SSH.

Bad Server Settings

One problem could be that your SSH-deamon on Bohr does not have the correct settings. On my Fedora 7 PubkeyAuthentication is per default on.

These setting in the /etc/ssh/sshd_config turns on login with certificate.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

RSAAuthentication is only used in ssh protocol version 1, and is probably not important to you. PubkeyAuthentication must be set to yes to allow login by certificates, and AuthorizedKeysFile is the the path of the authorized_keys file (remember it from previous?). If it is not an absolute path, it is relative to the users home directory, like the authorized_keys on Bohr.

I really think you should read the man page now. That's what I did.

bohr# man sshd_config

Bad Ownership

If you can log in to Bohr, by ssh, but still need to type your password, it could be due to bad ownership failure. Log in to Bohr (typing your password), become root, and view the /var/log/secure log file.

albert$ ssh bohr.physics.org
bohr$ su -
root@bohr# less /var/log/secure

If you see a line that looks like this

Authentication refused: bad ownership or modes for directory [dir_name]

the problem is most certainly that the permissions of are too loose. The ssh-server (that is the deamon running on Bohr) will not accept that authorized_keys is in a group or world writable directory. This is to avoid the situation where another user on Bohr copies an authorized_keys file of his own making to your .ssh directory. If he could do this, he could log on to Bohr using your account, without knowing your password.

To fix the problem do this (on Bohr)

bohr# chmod go-w ~/
bohr# chmod go-w ~/.ssh
bohr# chmod 600 ~/.ssh/authorized_keys

Log out of Bohr, and try to SSH Bohr again.


If you find any errors or think certain sections need to be explained in depth, please e-mail me.
Peter Skaarup