SSH login without password in OS X and Linux

By webmaster, 2 april, 2011
Image

Tired of typing passwords logging to SSH servers you often access then switching to keys to authenticate will be a game changer. Complex passwords will in general provide a good level of security, but they are tedious and slow to type. Make sure these passwords are strong! Using passwords to authenticate also prevent you from running local scripts that automatic log into other computers (like servers), running tasks or perhaps you want to have a backup/copy running between your laptop and server(s). The good news is that's a simple solution to all of this. I use a machine running OS X in this example, but It is pretty much the same in most Linux and *nix.

SSH and keys, WTF

For you to be able to automatic (unattended) logoin to another machine must this machine have a copy of your machine public key. Your key is signed by what we call a passphrase (you really should use a passphrase). When you then access another machine that that have a copy of your public key, it prompt your for your password (passphrase), instead of the system user account password. You might argue that by doing did we not really fix the problem, we just shifted the problem and added another layer for confusion and complexety. But try to trust me, this was a move in the right right direction.


Copy your public key to the machine you want to log into

ssh public key
Details on keys and passphrase exchange cycle

Using a empty (none) passphrase

The most daring users, create a public key with a empty passphrase. This introduce a big security problem. If someone gain access to a copy of your private key, they will also have access to all the servers that trust/use this key.

Use a agent to propagate the passphrase

Keychain Access

A more secure way of solving this is using a program (ssh-agent) to propagate the passphrase. This solution is quite good, but like everything else it comes with a few drawbacks. You need to have your shell environment set up correctly, and only application with the correct environment setting is able to benefit from it. In OS X you are able avoid this problem simply by using the system utility "Keychain Access". It will store and propagate your passphrase, and in Leopard (10.5) Apple finally introduced native support for using Keychain Access also in terminal.

Other systems have other key managers. Do you need this is a command line is it normal to use *ssh-agent* and *ssh-add*.

ssh-agent /bin/bash
ssh-add

Setting it all up

OS X has native support for creating and storing pass phrases (Keychain access) so setting this up on your Mac is not that hard. Linux users that are reading this can also follow along then the only difference is what application you use to store the passphrase. Like an example will Gnome users normally use the Gnome Keyring application.

  1. Create your set of keys:
    Start up the Terminal application and run:

    ssh-keygen -t rsa -b 4096

    If you prefer a more modern key type is DCDSA a by now a broadly supported type. They key files created have a different name the for RSA but that is all you need to change. The following command create a 521bit key long https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

    ssh-keygen -t ecdsa -b 521

    ssh-keygen will the ask where to store the public key it is about to create. Normally the default suggestion works just fine (~/.ssh/id_rsa.pub). ssh-keygen then ask you to enter a pass phrase. Please use something secure here and please also remember it.

  2. Copy the public key to your SSH server
    Copy the newly created public key to the SSH server(s) you need to auto login into by using your favourite transport method. Please be careful not to overwrite ~/.ssh/authorized_keys if it already exist! This is how I personally copy the key, might not be your preferred method:

    • If authorized_keys exist:
      cat ~/.ssh/id_rsa.pub | ssh username@example.com "cat - >> ~/.ssh/authorized_keys"
    • If authorized_keys does not exist:
      scp ~/.ssh/id_rsa.pub username@example.com:~/.ssh/authorized_keys
  3. Check your file permissions. A lot of different *nix system is picky when it comes to permissons. Setting your .ssh directory to 0700 and .ssh/authorized_keys to 0600.

    chmod 0700 ~/.ssh
    chmod 0600 ~/.ssh/authorized_keys

Usage

You should be all set. The very first time you now access the server by ssh, Keychain will prompt you for your keyphrase and then store it and you will never have to type it again.

Keychain store passphrase