SSH login without password using OS X
Tired of typing passwords to SSH servers you often access? Well get used to it! Passwords provide a high level of security, but but it have a tendency be tedious, and also prevent you from running local scripts that automatic logon to your server to perform tasks or you you simply will backup/copy files from your server to your local Mac. The good news is that's a simple solution to all this.
SSH and keys, WTF
To enable automatic login to a SSH server, the server must have a copy of your public key. The key is signed by what we call a passphrase, meaning that, when you now access a server that got a copy of your public key it prompt your for your password (passphrase) instead of the system user account password. So we really did not fix the problem, we just shifted the problem, but we shifted it in the right direction, and now we can do something about it.
Passphrase exchange
Empty passphrase
The most daring users, simply create a public key with a empty passphrase. This introduce a security problem. If you somehow gained access to a copy of your privat key, they will gain access to all the servers that trust your key.
Use a agent to propagate the passphrase
A more secure way of solving this is using a program (ssh-agent) to propagate the passphrase. This solution is quite good, but like everything else it comes with a few drawbacks. You need to have your shell environment set up correctly, and only application with the correct environment setting is able to benefit from it. In OS X you are able avoid this problem simply by using the system utility "Keychain Access". It will store and propagate your passphrase, and in Leopard (10.5) Apple finally introduced native support for using Keychain Access also in terminal.
Setting it all up
OS X has native support for creating and storing pass phrases (Keychain access) so setting this up on your Mac is not that hard. Linux users that are reading this can also follow along then the only difference is what application you use to store the passphrase. Like an example will Gnome users normally use the Gnome Keyring application.
- Create your set of keys:
Start up the Terminal application and run:ssh-keygen -t rsassh-keygen will the ask where to store the public key it is about to create. Normally the default suggestion works just fine (~/.ssh/id_rsa.pub). ssh-keygen then ask you to enter a pass phrase. Please use something secure here and please also remember it.
- Copy the public key to your SSH server
Copy the newly created public key to the SSH server(s) you need to auto login into by using your favourite transport method. Please be careful not to overwrite ~/.ssh/authorized_keys if it already exist! This is how I personally copy the key, might not be your preferred method:- If authorized_keys exist:
cat ~/.ssh/id_rsa.pub | ssh username@example.com "cat - >> ~/.ssh/authorized_keys" - If authorized_keys does not exist:
scp ~/.ssh/id_rsa.pub username@example.com:~/.ssh/authorized_keys
- If authorized_keys exist:
- Optional step: You might consider restricting file access to the file authorized_keys on the SSH server.
chmod 0600 ~/.ssh/authorized_keysto even further improve your system security.
Now you should be all set. The very first time you access the server by ssh, Keychain will prompt you for your keyphrase and then store it and you will never have to type it again.
Follow me
Most viewed and commented
Tweets @steinmb
Recent comments
- Drupal is complex. 9 hours 37 min ago
- i am much delighted to read 3 days 15 hours ago
- Resources like the one you 5 days 18 hours ago
- Very interesting and 5 days 18 hours ago
- thanks good information of 1 week 1 day ago
- I have never attended a 1 week 5 days ago
- I like this kind mutual 2 weeks 5 days ago
- Frnalky I think that’s 1 month 3 days ago
- hello, I am upgrading my site 1 month 6 days ago
- This is very interesting, the 1 month 2 weeks ago
Comments
Sienna Miller S... (not verified)
Tue, 11/16/2010 - 9:04am
Permalink
Great post! A fantastic
Great post! A fantastic summary/overview.
Thanks for the work! Keep going!
John Son (not verified)
Wed, 01/26/2011 - 8:22pm
Permalink
By disabling password-based
By disabling password-based authentication and requiring ssh key pairs, you reduce the chances of compromise via a brute force attack. This can also help you protect against weak account passwords since a valid private key is required to gain access to the server. However, a weak account password is still a big problem if you allow your users to use sudo.link building software
webmaster
Sat, 04/02/2011 - 9:29pm
Permalink
Older post but still a good
Older post but still a good read, updated and added more information, language cleanup + added a few illustrations to it.
Meat Rabbits (not verified)
Wed, 05/18/2011 - 6:50pm
Permalink
This is a great resource that
This is a great resource that you are providing. I have got lots of information from here. Continue posting more informative and interesting posts. Thanks!
Brazilian Wax (not verified)
Wed, 06/01/2011 - 5:42pm
Permalink
A great thing about SSH: It
A great thing about SSH: It works well over slow connections. More importantly, SSH is secure. In fact, that’s what it’s called, Secure Shell. Your communications are conducted through an encrypted session and your passwords are always protected.
FertilityBlend (not verified)
Thu, 06/02/2011 - 11:19am
Permalink
A great way to make use of
A great way to make use of ssh-agent is with the pam_ssh module. This makes it possible to only type one password when you log in (as usual) and also lock up you SSH keys. For the rest of the session you can use SSH without typing any passwords.
james (not verified)
Thu, 06/02/2011 - 8:12pm
Permalink
As long as this isn't going
As long as this isn't going to affect my system security I am willing to give it a try, but I will have to ask an IT engineer for help just to make sure nothing goes wrong. You never know who is out there waiting to get a hold of your business data so I would rather not risk to have my content security damaged in any way.
Razor Bumps (not verified)
Wed, 06/15/2011 - 11:29am
Permalink
May perhaps be sometime you
May perhaps be sometime you won't get any alert as just like hacker runs the lastest kernel exploit on your server and logs into SSH and fosters their very own SSH/telnet connection. Avoiding might be found you should maintain your system up-to-date by installing a firewall along with the latest security releases.
Razor Bumps (not verified)
Thu, 06/16/2011 - 2:46pm
Permalink
It is possible to automate
It is possible to automate SSH connections by generating “passphrase-less” secure keys and modifying our connection settings to use the new keys. In general, I would only recommend this procedure if you have a specific requirement for automating file transfers, and you clearly understand the security implications.
waqas786 (not verified)
Sat, 07/02/2011 - 3:33am
Permalink
their very own SSH/telnet
their very own SSH/telnet connection. Avoiding might be found you should maintain your system up-to-date by installing a firewall along with the lates
5 htp benefits
Female Bodybuilders (not verified)
Fri, 07/15/2011 - 10:42am
Permalink
An attention-grabbing
An attention-grabbing discussion is price comment. Maybe you should create more posts related to this subject. It won’t be a taboo topic but typically people are not enough to talk on such topics. Good luck for your next posts! Keep it up.
Nitric Pure (not verified)
Fri, 07/15/2011 - 10:54am
Permalink
I never thought that would be
I never thought that would be possible. Thanks for sharing what you have there!
Rod Khleif (not verified)
Fri, 07/15/2011 - 5:20pm
Permalink
If you want to avoid having
If you want to avoid having to input your password to log to a machine, you have to generate a pair of public/private keys and copy the public one to the machine where you want to log.
Wellness Coaching (not verified)
Sat, 07/16/2011 - 9:27am
Permalink
Resources just like the one
Resources just like the one you mentioned here can be really employed to me! I am going to post one of the links to that page on my small blog. I am sure my visitors can get that very helpful. Thanks
digitale bildbe... (not verified)
Tue, 07/19/2011 - 3:25pm
Permalink
Very nice article! It really
Very nice article! It really made me interested here. Thank you for bringing more informative post. I can't wait to read more of your blogsdigitale bildbearbeitung
Henk (not verified)
Wed, 07/20/2011 - 11:27am
Permalink
the security with Keychain
the security with Keychain/ssh-agent is not fullproof, but I think it's a magnitud better than to use no password at all for your SSH-key.
If you use a key with no password and someone break in to your computer they can take your SSH-key and use it as they like from any computer (spybubble) can be used for it). Breaking in could be as trivial as walking up to your computer when you are away for a minut and copy the key.
With a good password on the SSH-key you raise the threshold *considerably*. Keychain/ssh-agent make it possible to have a password without having to type the it all the time
seo dubai (not verified)
Wed, 08/24/2011 - 8:14am
Permalink
This is the good blog..well
This is the good blog..well to see this here..and good to post here..thanks for sharing here with us.
Alexey (not verified)
Sat, 09/03/2011 - 7:53pm
Permalink
#!/usr/bin/expect -f
#!/usr/bin/expect -f
if { [llength $argv] < 3 } {
send "Usage: ssh2 <hostname> <username> <password> <su password (optional)>\n"
exit;
}
set host [lrange $argv 0 0]
set user [lrange $argv 1 1]
set pass [lrange $argv 2 2]
set supass [lrange $argv 3 3]
set timeout -1
spawn ssh $user@$host
match_max 100000
expect {
"*yes/no*" {
send -- "yes\r"
exp_continue
}
"*?assword:*" {
send -- "$pass\r"
}
}
interact
pori (not verified)
Thu, 10/13/2011 - 12:06pm
Permalink
Secure Shell (SSH) is a
Secure Shell (SSH) is a network protocol for secure communications, a service or a remote execution of shell commands, and other secure network two computers to the network, which connects through secure channels unprotected. Protocol specification distinguishes two main versions, known as SSH-1 and SSH-2.
pori (not verified)
Thu, 10/13/2011 - 12:08pm
Permalink
Secure Shell (SSH) is a
Secure Shell (SSH) is a network protocol for secure communications, a service or a remote execution of shell commands, and other secure network two computers to the network, which connects through secure channels unprotected. Protocol specification distinguishes two main versions, known as SSH-1 and SSH-2.
<a href="http://directorial.org/">Online Listings</a>
Directory Website (not verified)
Thu, 10/13/2011 - 12:24pm
Permalink
A safer way to solve this is
A safer way to solve this is to use a program (ssh-agent) to propagate the password. This solution is quite good, but like everything else that comes with some drawbacks.
xenon hid lights (not verified)
Wed, 10/19/2011 - 2:18pm
Permalink
Thanks for taking the time to
Thanks for taking the time to discuss about this, I feel strongly about it and love learning more on this topic. If possible, would you mind updating your blog with more information? It is extremely helpful for me.
After Wax Spray (not verified)
Tue, 11/22/2011 - 7:12pm
Permalink
Very informative and useful
Very informative and useful article indeed. I really like the way writer has presented his views. I hope to see more great articles in future as well.
hid xenon ligh... (not verified)
Tue, 11/29/2011 - 6:30am
Permalink
Thanks for taking the time to
Thanks for taking the time to discuss about this, I feel strongly about it and love learning more on this topic. If possible, would you mind updating your blog with more information? It is extremely helpful for me.
Atik (not verified)
Wed, 11/30/2011 - 5:00am
Permalink
To say the truth I am very
To say the truth I am very impressed by what you told. You share tons of interesting info, neat and excellent design you’ve got here.
<strong><a href="http://www.essaystermpapers.com">essay papers</a></strong>
Anonymous (not verified)
Tue, 12/20/2011 - 2:33am
Permalink
Great thanks for sharing this
Great thanks for sharing this article post.
<a href="http://www.minmetalschina.com/contact.html">Tool Steels </a>
Anonymous (not verified)
Tue, 12/20/2011 - 2:33am
Permalink
Nice post. It’s really very
Nice post. It’s really very useful for all internet lover. Thank you so much..
http://www.minmetalschina.com/
Add new comment