Add new comment

Tired of typing passwords to SSH servers you often access? Well get used to it! Passwords provide a high level of security, but but it have a tendency be tedious, and also prevent you from running local scripts that automatic logon to your server to perform tasks or you you simply will backup/copy files from your server to your local Mac. The good news is that's a simple solution to all this.

SSH and keys, WTF

To enable automatic login to a SSH server, the server must have a copy of your public key. The key is signed by what we call a passphrase, meaning that, when you now access a server that got a copy of your public key it prompt your for your password (passphrase) instead of the system user account password. So we really did not fix the problem, we just shifted the problem, but we shifted it in the right direction, and now we can do something about it.

Passphrase exchange

Empty passphrase

The most daring users, simply create a public key with a empty passphrase. This introduce a security problem. If you somehow gained access to a copy of your privat key, they will gain access to all the servers that trust your key.

Use a agent to propagate the passphrase

A more secure way of solving this is using a program (ssh-agent) to propagate the passphrase. This solution is quite good, but like everything else it comes with a few drawbacks. You need to have your shell environment set up correctly, and only application with the correct environment setting is able to benefit from it. In OS X you are able avoid this problem simply by using the system utility "Keychain Access". It will store and propagate your passphrase, and in Leopard (10.5) Apple finally introduced native support for using Keychain Access also in terminal.

Setting it all up

OS X has native support for creating and storing pass phrases (Keychain access) so setting this up on your Mac is not that hard. Linux users that are reading this can also follow along then the only difference is what application you use to store the passphrase. Like an example will Gnome users normally use the Gnome Keyring application.

1. Create your set of keys:
   Start up the Terminal application and run:
   ssh-keygen -t rsa

   ssh-keygen will the ask where to store the public key it is about to create. Normally the default suggestion works just fine (~/.ssh/id_rsa.pub). ssh-keygen then ask you to enter a pass phrase. Please use something secure here and please also remember it.

2. Copy the public key to your SSH server
   Copy the newly created public key to the SSH server(s) you need to auto login into by using your favourite transport method. Please be careful not to overwrite ~/.ssh/authorized_keys if it already exist! This is how I personally copy the key, might not be your preferred method:
   • If authorized_keys exist:
     cat ~/.ssh/id_rsa.pub | ssh username@example.com "cat - >> ~/.ssh/authorized_keys"
   • If authorized_keys does not exist:
     scp ~/.ssh/id_rsa.pub username@example.com:~/.ssh/authorized_keys
     
3. Optional step: You might consider restricting file access to the file authorized_keys on the SSH server. chmod 0600 ~/.ssh/authorized_keys to even further improve your system security.

Now you should be all set. The very first time you access the server by ssh, Keychain will prompt you for your keyphrase and then store it and you will never have to type it again.