Using SSH without a Password
OpenSSH is the de facto standard for connecting to unix hosts. With few exceptions, all unix (incl. linux and OS X) systems have the ssh tools installed, allowing both outbound and - optionally - inbound ssh connections.
One very useful feature of ssh is the ability to execute ssh, scp and sftp (and programs such rsync) which make use of ssh for secure authentication) commands without having to enter your passwords each time. See Using SSH Keys for Passwordless Entry below for instructions.
Examples of commands which use the ssh protocol
- Login to another host
smithj@mathserv> ssh johns@mybox
- Execute a command on another host
smithj@mathserv> ssh bluespruce ls
- Copy files between hosts
# copy file to home directory on another host
smithj@mathserv> scp -p file.txt
# copy file to home directory on spruce using wildcards
smithj@mathserv> scp -p "file.*"
# copy directory and its contents to /tmp on another host
smithj@mathserv> scp -pr directory mybox:/tmp
- Secure file transfer
# behaves very much like ftp; enter help at sftp prompt for more
smithj@mathserv> sftp johns@mybox
Using SSH Keys for Passwordless Entry
Each time you ssh, scp or sftp to another system, you will be prompted your remote password; this can become tedious. SSH can use public-key authentication instead of password authentication, which means only having to type a password once (when you authenticate your private key for the ssh-agent using your ssh private-key passphrase).
- Use ssh-keygen -f username to create your public key and password-protected private key.
- Copy your public key to the remote hosts
- Start the ssh agent ("key ring", as it were) and provide your password
You can then ssh to the remote hosts without entering your password.
Create your public key and password-protected private keyCreate your public and private keys. This is done only once.
myusername@mybox> ssh-keygen -f ~/.ssh/myusername
Copy your public key to the remote hosts
Copy your public key to the remote host and add your public key to the remote account's authorization file. This is done once for each remote host.
myusername@mybox> scp -p ~/.ssh/myusername.pub me@otherbox:.ssh
myusername@mybox> ssh me@otherbox
myusername@mybox> touch ~/.ssh/authorized_keys2
myusername@mybox> cat "key myusername.pub" >> ~/.ssh/authorized_keys2
Start the SSH agent and give it your private key
Start the SSH agent and give it your private key. This is done each time you login to mybox.
myusername@mybox> eval `ssh-agent -c`
Many desktop/window managers (including the Mac OS X / macOS
desktop) will already have an ssh-agent running, in which case you will
just need to run ssh-add.
From this point on, you will be able to ssh, scp and sftp to the remote host without being prompted for your remote password.
Public-key authentication relies on asymmetric encryption, in which there are two keys (in fact, two large prime numbers), the public key and the private key, each of which can decrypt what the other has encrypted. SSH authenticates using the keys like this (more or less): when an ssh/scp/sftp connections is requested by your host, the remote host's ssh daemon uses your public key to encrypt a random message, which it sends back to your host; your host knows your private key (via ssh-agent and ssh-add) and uses it to decrypt and then encrypt the message, which it sends back; if the remote ssh daemon can recover the original message using your public key, then it assumes that all is well and the connection is established without asking you for a password.
At the risk of belabouring the obvious: maintaining the secrecy of
which protects your private key is extremely important. Anyone who can
load your private key can access any account authenticated with your
Be sure to use good password: the two most important factors are length
(at least twelve characters) and avoiding predictable phrases.