So, you know how to ssh and scp things with the best of them, but you're tired of having to always put in your password. Or maybe you want to set up an automated backup or some such thing, and can't always be there to enter the password...
You want to set up passwordless ssh for your machine. I'll take you through the steps to do it, but first a bit of theory.
HOW IT WORKS:
When your computer (say, your mac laptop) initiates an ssh connection to isbrae, it identifies itself, and identifies the isbrae user you intend to use (see the post logging in to isbrae for how you specify the username). It then has a few ways to attempt authentication- the one it defaults to if you haven't set anything up is to ask for your password. But first it checks to see if your user has set up an 'authorized keys' file. If so, it uses information in that file to determine whether your computer/user combination is authorized- if it is, no need for a password. We're going to set this up, through a process known as public key encryption, which essentially generates two keys- a 'private' key that only you and your computer have and have access to, and a 'public' key that you can install on any remote computer that uses this protocol- think of it as creating a personal key and padlock, you wouldn't want to let the key loose, but no worries if someone has your padlock... One key (no pun intended) part of this is that it is virtually impossible to hack your passphrase using only the public key- google 'public key encryption' for more detail.
So- you need to do 3 things:
1) Generate your public and private keys
2) Place each key in its appropriate place
3) Log in- with newer versions of OSX this prompts the mac 'keychain' utility to store the key passphrase for you, which allows you to skip the password.
Ok, on to 1):
in your terminal, start by issuing the command 'ssh-keygen':
ll-phoenix:~ bo$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/bo/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
43:c9:2e:5a:12:5b:71:9c:d5:4c:ee:60:07:2e:b0:d9 bo@ll-phoenix.wireless.dartmouth.edu
The key's randomart image is:
+--[ RSA 2048]----+
| o..oo+. |
| Ooo oo |
| . + E + o |
| + o o + |
| o o S . |
| + . . |
| . |
| |
| |
+-----------------+
ll-phoenix:~ bo$
As you may see from the exchange, you need to give the key a filename, and then enter a passphrase. This can be anything, but I'd suggest using one you know and remember well, so as not to have to remember too many things! For the filename, it will default to .ssh/id_rsa if you don't override. Notice that I did indeed override, primarily because I already have a file in .ssh called id_rsa and I didn't want to overwrite it. You will now see two new files:
ll-phoenix:~ bo$ ls -l id_rsa*
-rw------- 1 bo Glaciology 1766 Aug 6 08:50 id_rsa
-rw-r--r-- 1 bo Glaciology 418 Aug 6 08:50 id_rsa.pub
ll-phoenix:~ bo$
The one with the .pub suffix is, perhaps obviously, your public key. For the heck of it, lets see what it looks like:
ll-phoenix:~ bo$ head id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbs68yGNOHoJvt9v3XZ+cCMO1ea7kfh41MTGaqw9KeCGqt+H6gXO2NdMSpF67FsplSbCl5rD/PAI9zNU3IyNKf4uUFzDoaeLliRkgljHmI+Cd9Q5sWliBYxcyZ2L/1+gBGGI3YI+Saout2WZGNEvA3Elo4zvlv59QvfqQSFMHpArOMU6j7ufkenClcFeDvqMPz9zuAoQeTCwuIQH6s91QUA5xmG7EQ19hkJn7B5K3IKHjMh0tm9/FWdF4uSweYslbckHM8ilHJDOAjqijjwNcQdJNknU425WcytGItYF+SQ9ZEapqnMl5edlm3s+clUn7Im9RADRd22ylvhBA+VB6j bo@ll-phoenix.wireless.dartmouth.edu
ll-phoenix:~ bo$
Just some 'random' text, but it is important.
Now, lets move to step 2), putting the files in the right place. You will have a directory (a hidden one) called '.ssh' in both your local account and your account on isbrae. Your private key goes in your local .ssh directory, and your public key goes in your remote (on isbrae) .ssh directory:
ll-phoenix:~ bo$ mv id_rsa .ssh/
ll-phoenix:~ bo$ scp id_rsa.pub bo@isbrae:~/
Then log in to isbrae and make the move:
ll-phoenix:~ bo$ ssh -X isbrae
Last login: Tue Aug 5 15:36:04 2014 from ll-phoenix.wireless.dartmouth.edu
[bo@isbrae ~]$ mv id_rsa.pub .ssh/authorized_keys
Note that in addition to moving id_rsa.pub into the .ssh directory, I have also renamed it 'authorized_keys'. This is important. You can have multiple authorized keys, and they all go into the same file. If this is your first setup, then use the command I demonstrate above, but if you already have one machine set up for passwordless ssh, you will have to copy the text of the new id_rsa.pub key into the existing 'authorized_keys' file. Exactly how to do this is left as an exercise for the reader- there are a hundred ways to skin that cat (last word could be a clue).
Step 3) close everything out, quit your terminal, and then restart the terminal, and ssh as you would normally do. If all goes well, you should be prompted with a dialog box to save your password for the key, and say yes. Then, no more password entry!
IMPORTANT- A FINAL WORD ON SECURITY:
If you set up passwordless ssh into isbrae, this means that the security of isbrae is only as good as the security on your local machine- ie if someone gets into your account on your local machine, they will get into isbrae. For this reason, if you set up passwordless ssh, you NEED to secure your machine- no default login on startup, it should require a username and password, and also on waking up from sleep or screensaver you need to have it require password. This is good practice anyway, but extra important given the front door you have just opened to isbrae.
No comments:
Post a Comment