SSH login without password in OS X and Linux
Tired of typing passwords logging to SSH servers you often access then switching to keys to authenticate will be a game changer. Complex passwords will in general provide a good level of security, but they are tedious and slow to type. Make sure these passwords are strong! Using passwords to authenticate also prevent you from running local scripts that automatic log into other computers (like servers), running tasks or perhaps you want to have a backup/copy running between your laptop and server(s). The good news is that's a simple solution to all of this. I use a machine running OS X in this example, but It is pretty much the same in most Linux and *nix.
SSH and keys, WTF
For you to be able to automatic (unattended) logoin to another machine must this machine have a copy of your machine public key. Your key is signed by what we call a passphrase (you really should use a passphrase). When you then access another machine that that have a copy of your public key, it prompt your for your password (passphrase), instead of the system user account password. You might argue that by doing did we not really fix the problem, we just shifted the problem and added another layer for confusion and complexety. But try to trust me, this was a move in the right right direction.
Copy your public key to the machine you want to log into
Details on keys and passphrase exchange cycle
Using a empty (none) passphrase
The most daring users, create a public key with a empty passphrase. This introduce a big security problem. If someone gain access to a copy of your private key, they will also have access to all the servers that trust/use this key.
Use a agent to propagate the passphrase
A more secure way of solving this is using a program (ssh-agent) to propagate the passphrase. This solution is quite good, but like everything else it comes with a few drawbacks. You need to have your shell environment set up correctly, and only application with the correct environment setting is able to benefit from it. In OS X you are able avoid this problem simply by using the system utility "Keychain Access". It will store and propagate your passphrase, and in Leopard (10.5) Apple finally introduced native support for using Keychain Access also in terminal.
Other systems have other key managers. Do you need this is a command line is it normal to use ssh-agent and ssh-add.
ssh-agent /bin/bash
ssh-add
Setting it all up
OS X has native support for creating and storing pass phrases (Keychain access) so setting this up on your Mac is not that hard. Linux users that are reading this can also follow along then the only difference is what application you use to store the passphrase. Like an example will Gnome users normally use the Gnome Keyring application.
- Create your set of keys:
Start up the Terminal application and run:ssh-keygen -t rsa -b 4096
If you prefer a more modern key type is DCDSA a by now a broadly supported type. They key files created have a different name the for RSA but that is all you need to change. The following command create a 521bit key long https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
ssh-keygen -t ecdsa -b 521
ssh-keygen will the ask where to store the public key it is about to create. Normally the default suggestion works just fine (~/.ssh/id_rsa.pub). ssh-keygen then ask you to enter a pass phrase. Please use something secure here and please also remember it.
- Copy the public key to your SSH server
Copy the newly created public key to the SSH server(s) you need to auto login into by using your favourite transport method. Please be careful not to overwrite ~/.ssh/authorized_keys if it already exist! This is how I personally copy the key, might not be your preferred method:- If authorized_keys exist:
cat ~/.ssh/id_rsa.pub | ssh username@example.com "cat - >> ~/.ssh/authorized_keys"
- If authorized_keys does not exist:
scp ~/.ssh/id_rsa.pub username@example.com:~/.ssh/authorized_keys
- If authorized_keys exist:
- Check your file permissions. A lot of different *nix system is picky when it comes to permissons. Setting your .ssh directory to 0700 and .ssh/authorized_keys to 0600.
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/authorized_keys
Usage
You should be all set. The very first time you now access the server by ssh, Keychain will prompt you for your keyphrase and then store it and you will never have to type it again.
Comments
webmaster
4/2/2011
Permalink
Older post but still a good
Sean Robillard (not verified)
3/11/2013
Permalink
Excellent Post!!!! The exact
Sam Doidge (not verified)
4/4/2013
Permalink
The best explanation and
Kriti Sen Sharma (not verified)
6/10/2013
Permalink
Worked perfectly. I added
Simon Kenyon (not verified)
9/5/2013
Permalink
this is a really concise
Mike (not verified)
10/15/2013
Permalink
Hi
Mike (not verified)
10/15/2013
Permalink
I worked out why it didn't
steinmb
10/27/2013
Permalink
Great tip Mike. Any separate
the4tress (not verified)
1/21/2014
Permalink
This isn't working for me
the4tress (not verified)
1/21/2014
Permalink
I was having issues getting
robert77 (not verified)
11/10/2013
Permalink
Excellent ! I just solve my
petzo (not verified)
2/7/2014
Permalink
For me it didn't work. I've
Mikael (not verified)
2/17/2014
Permalink
Does the name of the user in
steinmb
2/18/2014
Permalink
@Mikael should work for root
ki (not verified)
2/28/2014
Permalink
Great, even worked on OS X 10
jenny (not verified)
3/31/2014
Permalink
There is an article about SSH
steinmb
4/26/2014
Permalink
I liked DSA eclliptic curve