Tuesday, December 23, 2008

SSH Pre-Authorized Logins

If you have multiple hosts which you access via ssh on a frequent basis, you may find that it's starting to become cumbersome having to constantly provide a password to log in. Fortunately there is an alternative, one which is extremely easy to configure too.

Firstly, let's examine the contents of the ~/.ssh directory (~ being the linux shortcut for your home directory i.e. /home/{user}). Generally this directory only contains one file : known_hosts. What does this file contain? Well, every time you attempt to gain access to a user@host using ssh for the first time, you will be prompted with a message similar to this:

This is a built in security feature in ssh which will prevent other hosts from gaining illegal access by posing as someone else or spoofing. This file will contain a line representing each user@host combination to have previously accessed your system using ssh.

The files used for pre-authorized logins are not created by default. We're going to create them step-by-step now.

  1. Create a public / private key pair.
    There are various types of keys available, for this example however, we're going to be using a RSA key pair. We'll be making use of the ssh-keygen utility to generate our key pair.

  2. note: Just press enter to accept the defaults when prompted. Do Not Enter A Passphrase. You should now notice that your ~/.ssh directory contains two more files in addition to your known_hosts file; namely id_rsa and id_rsa.pub. As you may have suspected from the name id_rsa.pub is your public key file. This is the file we're going to be using for this exercise.

    note: id_rsa is your private key file. Never give this file to anyone.

  3. Place your public key on the remote system.
    The second new file we're going to be dealing with is the ~/.ssh/authorized_keys file. The difference however, is that this file does not reside in your ~/.ssh directory, but in the ~/.ssh directory of the remote host. This file contains a line containing the public key of each user@host combination pre-authorized to log gain access to said system. i.e. user@host combinations who are not required to provide a password to gain access to the remote system.

    Step 2 involves you placing the contents of your ~/.ssh/id_rsa.pub file in the remote system's ~/.ssh/authorized_keys file. Once you have done this, you will be pre-authorized to log into the remote system and will not be prompted to provide a password every time you log in.

Here comes the neat trick: There are many methods you could use to achieve step 2. To name a few you could:
  • Use Copy & Paste between two terminals
  • Use scp to copy your ~/.ssh/id_rsa.pub across to the remote machine, and then append it manually
Just to name a few. But I'm going to show you my personal favorite: One command which will achieve this remotely for you. The only prerequisite is that the remote system already contains a ~/.ssh directory.

cat ~/.ssh/id_rsa.pub | ssh {user}@{host} 'cat >> ~/.ssh/authorized_keys'

This will be the last time you ever need to enter the password again.

1 comment:

  1. This is just what I need right now. A very good tip. Thank you for this.