If you have never connected to the other system before, then SSH to the system in the normal way, i.e. using a password:
$ ssh vinay@some.domain.com
You will be asked whether you want to add the machine's RSA fingerprint to your system's list of known hosts. Say 'yes' and you will be asked for the password... enter password... connected. You will not be asked this question from the next time onwards.
OK, now lets setup a password-less connection. This involves copying a security key generated on your system onto the machine that you want to connect to. First check if the key is already present in your system. If it is present, we can use it, else we will have to generate a new one. Here is how you check if you already have the key:
$ ls -l ~/.ssh total 24 -rw------- 1 vinay vinay 1204 2010-04-19 12:24 authorized_keys -rw------- 1 vinay vinay 668 2010-04-13 12:31 id_dsa -rw------- 1 vinay vinay 602 2010-04-13 12:31 id_dsa.pub -rw-r--r-- 1 vinay vinay 8496 2010-03-20 18:40 known_hosts
The file that we will have to copy over is "id_dsa.pub". If you do not see the file on your system, then here is how you generate one:
$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/vinay/.ssh/id_dsa): <hit enter key> Enter passphrase (empty for no passphrase): <hit enter key> Enter same passphrase again: <hit enter key> Your identification has been saved in /home/vinay/.ssh/id_dsa. Your public key has been saved in /home/vinay/.ssh/id_dsa.pub.
If you check the ~/.ssh folder, you must see the "id_dsa.pub" file. Now that you have the key (or if you had it before), you need to copy it to the machine that you want to connect to. Here is how you can do that:
$ ssh-copy-id -i ~/.ssh/id_dsa.pub vinay@some.domain.com
The ssh-copy-id command takes the contents of the "~/.ssh/id_dsa.pub" file on the current machine (i.e. the key that you generated or already had) and adds it end of the "~/.ssh/authorized_keys" file on the machine that you want to connect to.
That's it!! You can now connect directly, without using a password. Test the setup:
$ ssh vinay@some.domain.com
Note 1: If you do not have the ssh-copy-id command, then you can do the copy manually
$ scp .ssh/id_dsa.pub vinay@some.domain.com:temp_dsa.pub $ ssh vinay@some.domain.com $ cat temp_dsa.pub >> .ssh/authorized_keys $ rm temp_dsa.pub
Note 2: Make sure that the key that you generated is secure. Change your permissions to 600, if required:
$ chmod 600 ~/.ssh/id_dsa $ chmod 600 ~/.ssh/id_dsa.pub
Note 3: If you follow the above procedure and you are still unable to connect without a password, then check the "/var/log/auth.log" log file on the machine that you are connecting to. Here are two possible scenarios:
1. If you see a message like "Public key <fingerprint> from <source> blacklisted", then it means that your ssh key may have been compromised. Then, you will have to update your openssl and openssh packages and generate a new key and try out the whole procedure again.
2. If you see a message like "bad ownership or modes for directory /home/<user>", then it is most likely that your home folder has group write access... ssh does not like that at all. You will have to chmod your home directory permissions to 750.
Happy password-less SSHing and SCPing ;)
What happens when I change my password?
ReplyDelete