Password free SSH (public key authentication)
Using SSH to connect to a remote computer is convenient, but it has a couple of drawbacks. One is that you have to type the password each time you connect, which is annoying in an interactive shell but unacceptable with a script, because you then need the password in the script. The other is that a password can be cracked. A complex, random long password helps, but that makes interactive logins even more inconvenient. It's more secure to set SSH up to work with no passwords at all. First you need to set up a pair of keys for SSH, using ssh-keygen like this to generate RSA key pair (change the argument to dsa for DSA keys).
ssh-keygen -t rsa -C "root@linux.com"
This creates two files in ~/.ssh, id_rsa (or id_dsa) with your private key and id_rsa. pub with your public key. Now copy the public key to the remote computer and add it to the list of authorised keys with
cat id_rsa.pub >> ~/.ssh/authorized_keys
Or do it remotely
Option 1
ssh-copy-id
See below
Option 2
cat ~/.ssh/id_rsa.pub | ssh vps 'cat >> ~/.ssh/authorized_keys'
OpenSSH Server Side Configuration
Make sure you have the following in sshd_config (/etc/ssh/sshd_config)
RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication no #No root login PermitRootLogin no
You can then log out of the SSH session and start it again. You will not be asked for a password (for the owner of ~ ONLY), although if you set a passphrase for the key you will be asked for that. Repeat this for each user and each remote computer.
"PasswordAuthentication no" causes SSH to refuse all connection without a key, making password-cracking impossible.
ssh-id-copy
ssh-copy-id - install your public key in a remote machine's authorized_keys
DESCRIPTION
ssh-copy-id is a script that uses ssh to log into a remote machine and append the indicated identity file to that machine's ~/.ssh/authorized_keys file.
ssh-copy-id [-i [identity_file]] [user@]machine
For example:
# -i defaults to ~/.ssh/id_rsa.pub ssh-copy-id terry@support.au.oracle.com # pem ssh-copy-id -i terrywang.pub terry@terry.im # pub key ssh-copy-id -i vagrant.pub vagrant@box
Troubleshooting
Most likely failures are caused by bad ownership or modes (permissions) of the ~/.ssh folder and ~/.ssh/authorized_keys file on the OpenSSH Server side.
To troubleshooting ssh login issues, run sshd in foreground
sudo /usr/sbin/sshd -Dd
Connect from ssh client
ssh user@host -vvv
NOTE: permissions for ~/.ssh and ~/.ssh/authorized_keys (strict is GOOD)
| Folder / File | Permisson |
|---|---|
| ~/.ssh | 0700 |
| ~/.ssh/authorized_keys | 0600 |
Example output, bad ownership of the file ~/.ssh/authorized_keys => 0666
debug1: attempt 1 failures 0 debug1: test whether pkalg/pkblob are acceptable debug1: PAM: setting PAM_RHOST to "10.0.2.2" debug1: PAM: setting PAM_TTY to "ssh" debug1: temporarily_use_uid: 501/501 (e=0/0) debug1: trying public key file /home/vagrant/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK Authentication refused: bad ownership or modes for file /home/vagrant/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 501/501 (e=0/0) debug1: trying public key file /home/vagrant/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for vagrant from 10.0.2.2 port 56975 ssh2 debug1: userauth-request for user vagrant service ssh-connection method publickey debug1: attempt 2 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 501/501 (e=0/0) debug1: trying public key file /home/vagrant/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK Authentication refused: bad ownership or modes for file /home/vagrant/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 501/501 (e=0/0) debug1: trying public key file /home/vagrant/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for vagrant from 10.0.2.2 port 56975 ssh2
Fix it by changing modes to 0600.
ssh or scp using an indentity file
-i identity_file
Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol version 2.
Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). ssh will also try to load certificate information from the filename obtained by appending cert.pub to identity filenames.
SSH
ssh -i key.pem amazon_ec2_host ssh -i terry.pem ubuntu@ec2-184-72-204-112.compute-1.amazonaws.com
SCP
scp -i terry.pem samplefile.txt ubuntu@ec2-184-72-204-112.compute-1.amazonaws.com:~ scp -i terry.pem ubuntu@ec2-184-72-204-112.compute-1.amazonaws.com:~/samplefile.txt ~/samplefile2.txt
Passphrase
Specify a passphrase when generating the key, which will be used to encrypt the private part of this file using 128-bit AES. When a login attempt is made, the private key id_rsa will be accessed and passphrase will be required if there is.
Files
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 128-bit AES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh will read this file when a login attempt is made.
~/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret.
~/.ssh/authorized_keys
A list of trusted public keys.
If you see the following error message when generating a new key pair
Please try to set SSH_AUTH_SOCK to 0 in the Terminal session and try again:
export SSH_AUTH_SOCK=0
Otherwise try logging out current X session and log back in, it's a known bug.
ssh Agent admitted failure to sign using the key on big endian machines
OpenSSL generated key pairs
NOTE: openssl generated key pairs can also be used for Public key authentication.
Use ssh -i to specific the private key (identity file) and connect to the ssh host, for example:
ssh -i key.pem user@host
More on how to use OpenSSL to generate keypairs: Use OpenSSL to generate key pairs
NOTE: PEM => Privacy Enhanced Mail.
GUI Tools
PAC Manager (SecureCRT equivalent) PAC Manager Website PAC Manager@SourceForge.net
PuTTY - PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.