Updated! (20 Nov 2001) Includes instructions for OpenSSH version 3.x. (This means that I removed references to authorized_keys2 as it is obsolete. If an earlier version of ssh is running on the server, you will have to substitute authorized_keys2 for authorized_keys below.)
Updated! (9 Nov 2001) Includes the SSH2 instructions and some corrections suggested by David Greaves.
I went searching for a good, general page that would explain how to do passwordless logins using ssh-agent and didn't find much. So I wrote this page.
Get a secure, encrypted connection to a remote machine without typing in a password.
Use OpenSSH to handle the authentication. If you are using putty, you might have trouble with this since the author says
Forms of SSH authentication other than password. I don't believe many of these can be made sensibly secure from a Windows box, even NT, and the ones that can tend to require the client to perform RSA private-key operations, which my current RSA code is too slow to do usefully. Plus they involve more typing than a password.
Note: Since the above was written, putty has included RSA key support.
(This misfeature has frustrated me before. And he is wrong about them requiring more typing.)
For Windows users, I recommend using the OpenSSH that is part of the CygWin toolset. I provide the minimum set of binaries that will provide the necessary functionality for the steps needed here. (Since the license on cygwin requires that source be distributed with the binaries, I'll point you to the website where you can find the source.) Note: If you are using this package, you may need to replace ~ with %HOME% throughout these directions.
Anyway, here is how to set up a pair of keys for passwordless authentication via ssh-agent.
$ ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "you@example.com" Generating DSA keys: Key generation complete. Enter passphrase (empty for no passphrase): USE-A-PASSPHRASE Enter same passphrase again: USE-A-PASSPHRASE Your identification has been saved in ~/.ssh/id_dsa Your public key is: 1024 35 [really long string] you@example.com Your public key has been saved in ~/.ssh/id_dsa.pub $
However, it is probably better just to generate new keys for those hosts.$ scp ~/.ssh/id_dsa you@another-box:.ssh/
$ cat ~/.ssh/id_dsa.pub | ssh you@other-host 'cat - >> ~/.ssh/authorized_keys' you@other-host's password: $
Note: If an older version of ssh is running on the remote host, you may have to use the ~/.ssh/authorized_keys2 file.
Note: If your local machine is Windows, try
$ type ~/.ssh/id_dsa.pub | ssh you@other-host "cat - >> ~/.ssh/authorized_keys" you@other-host's password: $
If you don't get the prompt for your DSA key, then something has gone wrong.$ ssh you@example.com Enter passphrase for DSA key 'you@example.com': ^D $
Now that that works, you will want the passwordless part, right?
Since I run gdm on Debian Testing, ssh-agent is started automatically when I log in. If you don't have this benefit, you can get it by putting the following line at the end of my .xsession file:
ssh-agent gnome-session
Which basically means that ssh-agent starts up, creates a socket, sets up a couple of environment variables and then starts up gnome-session. That way all of the programs run in Gnome have access to the agent.
If you want to, say, put it in your .profile, then you might try the following setup. In my .bash_profile, I have
SSHAGENT=/usr/bin/ssh-agent if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then eval `$SSHAGENT` fi
This brings SSH_AUTH_SOCK and SSH_AGENT_PID as environment variables into the current shell.
Of course, you won't want the ssh-agent daemons sitting around, so you might want the following in your .logout:
kill $SSH_AGENT_PID
$ ssh-add ~/.ssh/id_dsa Need passphrase for /home/mah/.ssh/id_dsa (you@example.com). Enter passphrase: $
$ ssh you@example.com Last login: Tue Apr 25 13:40:21 1492 from europe.com Sun Microsystems Inc. SunOS 5.7 Generic October 1998 No mail. [you@example.com]$
Jubilation! It worked! Go forth and conquer!
Ok, so, did it work or no? Let me know.
And, please, unless you want someone else to use your keys, protect them with a passphrase. I didn't for a while, till I discovered ssh-agent.
If you want to use this setup for editing remote files in emacs under Windows, check out my Tramp-on-NT page.