Computing Resources


Printer-friendly version

Using SSH at McMaster

Using SSH without a Password

Contents

Introduction

OpenSSH is the de facto standard for connecting to unix hosts.   With few exceptions, all unix (incl. linux and OS X) systems have the ssh tools installed, allowing both outbound and - optionally - inbound ssh connections.

One very useful feature of ssh is the ability to execute ssh, scp and sftp (and programs such rsync) which make use of ssh for secure authentication) commands without having to enter your passwords each time. See Using SSH Keys for Passwordless Entry below for instructions.

Examples of commands which use the ssh protocol

Login to another host
smithj@mathserv> ssh johns@mybox
Execute a command on another host
smithj@mathserv> ssh bluespruce ls
Copy files between hosts
# copy file to home directory on another host
smithj@mathserv> scp -p file.txt mybox
# copy file to home directory on spruce using wildcards
smithj@mathserv> scp -p "file.*" mybox
# copy directory and its contents to /tmp on another host
smithj@mathserv> scp -pr directory mybox:/tmp
Secure file transfer 
# behaves very much like ftp; enter help at sftp prompt for more
smithj@mathserv> sftp johns@mybox

 

Using SSH Keys for Passwordless Entry

Each time you ssh, scp or sftp to another system, you will be prompted your remote password; this can become tedious. SSH can use public-key authentication instead of password authentication, which means only having to type a password once (when you authenticate your private key for the ssh-agent using your ssh private-key passphrase).

Synopsis

  1. Use ssh-keygen -f username to create your public key and password-protected private key.
  2. Copy your public key to the remote hosts
  3. Start the ssh agent ("key ring", as it were) and provide your password

You can then ssh to the remote hosts without entering your password.

Detailed Example

Create your public key and password-protected private key

Create your public and private keys.  This is done only once.

myusername@mybox> ssh-keygen -f ~/.ssh/myusername

Copy your public key to the remote hosts

Copy your public key to the remote host and add your public key to the remote account's authorization file. This is done once for each remote host.

myusername@mybox> scp -p ~/.ssh/myusername.pub me@otherbox:.ssh
myusername@mybox> ssh me@otherbox
myusername@mybox> touch ~/.ssh/authorized_keys2
myusername@mybox> cat "key myusername.pub" >> ~/.ssh/authorized_keys2
myusername@mybox> exit

Start the SSH agent and give it your private key

Start the SSH agent and give it your private key. This is done each time you login to mybox.

myusername@mybox> eval `ssh-agent -c` && ssh-add

Many desktop/window managers (including the Mac OS X / macOS desktop) will already have an ssh-agent running, in which case you will just need to run ssh-add.

From this point on, you will be able to ssh, scp and sftp to the remote host without being prompted for your remote password.

Background

Public-key authentication relies on asymmetric encryption, in which there are two keys (in fact, two large prime numbers), the public key and the private key, each of which can decrypt what the other has encrypted. SSH authenticates using the keys like this (more or less): when an ssh/scp/sftp connections is requested by your host, the remote host's ssh daemon uses your public key to encrypt a random message, which it sends back to your host; your host knows your private key (via ssh-agent and ssh-add) and uses it to decrypt and then encrypt the message, which it sends back; if the remote ssh daemon can recover the original message using your public key, then it assumes that all is well and the connection is established without asking you for a password.

At the risk of belabouring the obvious: maintaining the secrecy of the password which protects your private key is extremely important. Anyone who can load your private key can access any account authenticated with your public key. Be sure to use good password: the two most important factors are length (at least twelve characters) and avoiding predictable phrases. 

xkcd: Password Strength


If you'd like a more thorough description of public key encryption, see Netscape's Introduction to Public-Key Cryptography or SSH.com's Cryptography A-Z