Setting up SSH authentication without a password using keys
Sometimes you may want to login into a server using ssh and not have to enter a password. This can be very useful when writing scripts that need to use scp to copy files to another server for instance.
To achieve this we use authentication keys. ssh version 1 uses RSA keys only and ssh version 2 can use either RSA or DSA keys.
Lets assume we are using ssh version 2 and we want to use DSA keys. (it doesn't matter particularly if we use RSA or DSA, however DSA is more secure).
Lets also assume we have two servers called serverA and serverB
We want to login from serverA to serverB using ssh without supplying a password.
Log into serverA as the user that requires ssh login ability to serverB (lets say this user is tiger), this user does not need to be the same user as the user on serverB.
As the user tiger run the ssh-keygen command as follows. Choose the default file location which will be tigers home directory. Also just hit enter each time you are requested to enter a passphrase, this ensures no passwords are requested on login.
ssh-keygen -t dsa
Generating public/private dsa key pair. Enter file in which to save the key (/home/tiger/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/tiger/.ssh/id_dsa. Your public key has been saved in /home/tiger/.ssh/id_dsa.pub. The key fingerprint is: a4:22:c3:e0:ef:c4:1f:80:74:39:9b:54:96:18:c5:6c tiger@serverA
On serverB lion is the user account we want to log into using ssh. Therefore login to serverB as lion. (The steps to be completed on serverB can be done as root, but you will need to ensure the ownership of the directory and file to be discussed below is set to the user lion).
In the home directory of user lion create a subdirectory called .ssh as follows. (Obviously don't do this if .ssh already exists.)
cd into .ssh and create a file called authorized_keys. (Again this file may already exist).
Now on serverA copy the contents of the public key file /home/tiger/.ssh/id_dsa.pub and paste the contents into authorized_keys on serverB, retaining any keys that may already be in authorized_keys.
If copy and paste is not possible then the scp command can be used on serverA to copy the public key file to serverB with a command similar to the following.
scp ~/.ssh/id_dsa.pub lion@serverB:.ssh/authorized_keys
Only copy directly to authorized_keys if this file is empty, otherwise use a temporary file to copy to, then on serverB copy the key from the temporary file into authorized_keys.
An example of the contents of id_dsa.pub is shown below.
This is all one line and it is important that this remains one line when you paste it into authorized_keys otherwise it will not work.
The string at the end of the key, in this case tiger@serverA is not part of the key and just states where the key was generated. This string can be and is ok to be missing.
Ok we are almost there, we just need to ensure that the file authorized_keys and the directory .ssh are owned by the user lion, if they aren't then use the following commands to change their ownership.
chown lion authorized_keys
chown lion .ssh
We also need to ensure the permissions of the authorized_keys file are set to only read and write for the owner, for example the command ls -l should display an output similar to the following.
-rw------- 1 lion lion 1862 Aug 3 14:42 authorized_keys
If the permissions of this file are not correct use the chmod command as follows.
chmod 600 authorized_keys
Similarly .ssh needs to have read, write and execute permissions for the owner as the command ls -la will show.
drwx------ 2 lion lion 4096 Aug 3 14:43 .ssh
If the permissions are incorrect then use the chmod command as follows to set them.
chmod 700 .ssh
Also ensure the permissions on the home directory (in this case /home/lion) are no higher than 755, if they are then use chmod as follows.
chmod 750 /home/lion
If the ownership or permissions are not set correctly then ssh login using keys will fail.
Ok that's it, give it a try as follows.
On serverA as the user tiger type
The authenticity of host 'serverB (10.10.23.123)' can't be established. RSA key fingerprint is 88:66:88:45:26:34:b9:a8:30:6d:50:b4:2f:53:e5:ab. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'serverB,10.10.23.123' (RSA) to the list of known hosts. Last login: Tue Aug 2 02:09:27 2011 from 10.10.23.122
If this is the first time you haved logged into serverB using ssh then you will be asked if you are sure, type yes at the prompt.
You should then be logged in without a password.
If not then the problem is usually because .ssh and authorized_keys do not have the correct ownership or permissions set, or the key in the authorized_keys file is not one line,(there are newlines or returns in the key).
You can try to diagnose the issue by using the ssh -v flag, for example.
ssh -v serverB
If the public key is lost you can generate a new one from the private key as follows
ssh-keygen -y -f id_rsa > id_rsa.pub