Passwordless SSH

Everyone talks about it, this is how I setup passwordless SSH.

I’m incurably lazy, and as we all know, lazy techs like to automate (ltla?).

I ssh a lot into my personal servers, and I get tired of having to type ssh account@server.com, and then enter my password. So I got smart.

iTerm ProfilesSince I’m on a Mac, the first thing I did was grab iTerm2. This lets me create simple profiles so with a click, I can log in to any of my servers. When I was using Windows, I used PuTTY and the add-on for Connection Manager.(The real PuTTY CM site is gone, and binarysludge just keeps a copy on hand for the same reasons I do. You never know when you need it. Mine’s in my Dropbox storage.)

What I really loved about PuTTY CM was that I could fill the pref file with my accounts and passwords, and then one-click connect to any of my servers. This was as The Bank Job, where I had a couple hundred servers to do this with, and when I had to change my password, I could search/replace that file. I know, it’s not secure. At DreamHost, I had the same, but they scripted it so I can sudo in with a handy call that I’m in love with. As long as I remember my password, I’m fine. But see, I told you, I’m horribly lazy and I hate having to log in with my password, then sudo again with my password.

The first step for this is to make an rsa key pair. This is a fancy way of telling both computers to trust each other, so on your personal computer (we’re assuming linux here), go to your home folder and type this:

[Laptop] $ ssh-keygen -t rsa

You’ll be presented with a series of informative notes and questions. Accept all the defaults, and keep your passphrase empty.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/ipstenu/.ssh/id_rsa): 
Created directory '/home/ipstenu/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ipstenu/.ssh/id_rsa.
Your public key has been saved in /home/ipstenu/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 ipstenu@[Laptop]

This saves your public ‘key’ in the .ssh folder (yes, it’s a folder)

Now we have to setup the server (halfelf.org for example):

[Laptop] $ ssh myaccount@halfelf.org mkdir -p .ssh
myaccount@halfelf.org's password: 

This will SSH into halfelf as ‘myaccount’ and create a folder called .ssh. You only need to do this once, so after you set up the key for one computer, you can skip this the next time.

Finally we’re going to append the public key from my laptop over to HalfElf, so it trusts me:

[Laptop] $ cat .ssh/id_rsa.pub | ssh myaccount@halfelf.org 'cat >> .ssh/authorized_keys'
myaccount@halfelf.org's password: 

The reason we’re appending is so that if I decide I want to add my Work Laptop, I can just make the key, and then repeat that last command and it will add it to the bottom, trusting both.

There’s a caveat here, which caught me last week. I set everything up for my new server, ElfTest, and then moved the server to a VPS. The IP changed, so the trusted key was invalid. You see, every time you connect to a server for the first time, it asks you to trust it. If anything in that fingerprint changes, you have to re-trust. This is annoying:

The authenticity of host 'elftest.net (111.222.333.444)' can't be established.
RSA key fingerprint is f3:cf:58:ae:71:0b:c8:04:6f:34:a3:b2:e4:1e:0c:8b.
Are you sure you want to continue connecting (yes/no)? 

After you respond “yes” the host gets stored in ~/.ssh/known_hosts and you won’t get prompted the next time you connect. When it became invalid, I had to go edit that file and delete the entry for elftest (it’s partly human readable, so it wasn’t too bad).

If you hate this as much as I do, and you feel you’re immune to man-in-the-middle attacks, there’s a nifty command:

ssh -o "StrictHostKeyChecking no" user@host

This turns off the key check. Generally speaking? Don’t do this. I’ve actually only done it once. (This was at the bank, where I was behind so many firewalls, if you’d gotten to my computer, I was in trouble anyway.)

2 Comments

  1. Once you have done the above steps, you can further minimize the typing. For example, you can have the following in your ~/.ssh/config file…

    Host dhserver
    Hostname dhserver.com
    User halfelf
    IdentityFile ~/.ssh/id_rsa

    If the ~/.ssh/config file doesn’t exist, you may create one. From now, you can connect to the dhserver from the Mac OS terminal like this…

    ssh dhserver

    In the same way, we can create any number of configurations. So, whenever we want to check a client’s server, we could do like…

    ssh client1

    ssh client2

    ssh client3

    ssh dhserver1

    ssh dhserver2

    I hope this helps.

    • One of the only reasons I don’t do that is I have a few same domain/different TLDs to connect to, so ipstenu.com and ipstenu.org 😉 the extra four characters don’t kill me.

      And no, I don’t own ipstenu.com or .net.

Comments are closed.

%d bloggers like this: