Setting Up Passwordless Authentication with SSH

Problem

You are constantly logging into remote servers throughout the day, and each time you are prompted for your password. Not only is this a drag, but it's also somewhat of a security risk.

Solution

A better alternative to entering passwords for each of your servers is to use cryptographic authentication with SSH public/private key pairs.

Generate a public/private key pair with:

$ ssh-keygen -t dsa

You can just hit Enter through all the questions for now. You can alway rerun the command later if you decide to change the defaults.

Now, install your public key on the remote server of your choosing with the command:

 $ cat ~/.ssh/id_dsa.pub | ssh rob@myhost "cat >> .ssh/authorized_keys2"

Replace myhost with the domain name or IP address of your server.

A common problem you may encounter with this is incorrect permissions on the .ssh directory and the files therein. Be sure that your .ssh directory and the files in it are readable/writable only by their owner:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys2

Discussion

The advantage of passwordless authentication is that passwords can be sniffed over the wire and are subject to brute force attacks. Cryptographic authentication eliminates both risks. You also are less likely to make the mistake of leaving your password in your local logs from failed login attempts.

As with most security-related issues, there are always trade-offs. If you store your private key on your local machine, anyone who has access to your machine can potentially gain access to your servers without needing to know your passwords. Be aware of this potential vulnerability when you leave your computer unattended and when you're considering a security plan.

See Also

• Section 13.8