Enabling password-less logins with ssh (a.k.a. using key-based authentication) Here is a quick guide to setting up key-based logins to your account. This tutorial assumes the following: * you have NO OTHER keys setup on your account or local computer * you are able to keep access to the key file secure (if not, DO NOT use passwordless-keys) * your username is "jdoe" - replace "jdoe" with your real username in everything that follows Ignoring any of the above pretty much promises trouble! Use at your own risk! 1. Login to your account as normal with ssh and your password 2. The directory /home/jdoe/.ssh is where your ssh keys and other related files files are normally stored, let's take a look at what the directory looks like before we change anything: bash-2.05a$ ls -al .ssh total 18 drwx------ 2 jdoe jdoe 1024 Jan 27 2003 . drwx--x--x 22 jdoe jdoe 14336 Feb 26 07:15 .. -rw-r--r-- 1 jdoe jdoe 1690 Dec 7 17:11 known_hosts The file known_hosts might be missing on your account. This is normal. known_hosts is a record of the hosts you have currently attempted to connect to from this account. If you've never tried to make outside connections, this file will not exist. 3. type: ssh-keygen -t rsa bash-2.05a$ ssh-keygen -t rsa The program will ask you a few questions, the entire output will look like : Generating public/private rsa key pair. Enter file in which to save the key (/home/jdoe/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/jdoe/.ssh/id_rsa. Your public key has been saved in /home/jdoe/.ssh/id_rsa.pub. The key fingerprint is: 50:b4:b0:ec:c8:dd:88:f2:ef:cb:b4:b4:07:b9:40:11 jdoe@your_domain.com Just press enter for each question. This will create a key with NO PASSWORD. Warning!!! Anyone with the key file can now login to your account without a password. Make sure you keep the key private! A more secure method is to enter a password when prompted for the key. 4. Let's take a look at the .ssh directory now: bash-2.05a$ ls -l .ssh total 4 -rw------- 1 jdoe jdoe 887 Feb 26 07:16 id_rsa -rw-r--r-- 1 jdoe jdoe 241 Feb 26 07:16 id_rsa.pub -rw-r--r-- 1 jdoe jdoe 1690 Dec 7 17:11 known_hosts You'll see you have two new files: id_rsa and id_rsa.pub id_rsa is your private key. Again, it's called private for a reason - anyone with this key can login to your account. Keep this file secure! id_rsa.pub is the public key. You place this file into the authorized_keys2 file of any server you want to accept your private key for logins. 5. Type: cp .ssh/id_rsa.pub .ssh/authorized_keys2 This creates an authorized_keys2 file with your public key in it. Note: If you have any other keys setup they will be overwrote. 6. Just to make sure all is well, let's take another quick look at our .ssh directory : bash-2.05a$ ls -l .ssh total 3 -rw-r--r-- 1 jdoe jdoe 241 Feb 26 07:16 authorized_keys2 -rw-r----- 1 jdoe jdoe 1690 Feb 26 07:16 id_rsa -rw-r--r-- 1 jdoe jdoe 1690 Dec 7 17:11 known_hosts 7. Logoff the remote server : exit 8. on your local computer: mkdir .ssh This will give an error if the directory already exist. Don't worry - we are just creating the directory in case it didn't already exist. 9. Now copy the remote file from your server account to your local computer using secure copy (scp). Type : scp jdoe@your_domain.com:~/.ssh/id_rsa .ssh/ If for some reason this does not work, you can always open the file through other means and then copy-and-paste the contents into the file .ssh/id_rsa on your local computer. The file contents are just regular text and will copy-and-paste fine (even though they look like a bunch of garbled text!) 10. Let's take a quick look at our local .ssh directory just to make sure it is correct : [jdoe@garbage9 jdoe]$ ls -l .ssh/ total 8 -rw------- 1 jdoe jdoe 887 Feb 26 07:43 id_rsa -rw-r--r-- 1 jdoe jdoe 615 Feb 26 07:42 known_hosts (again, you may not have the known_hosts file - this is ok). 11. You should now be able to login without a password, type: ssh your_domain.com 12. Once you are logged into your account, delete the private key. Type : rm .ssh/id_rsa You don't want a copy lying around on the server. You copied it down to your local computer in the previous step. It is no longer needed on the server. 13. Your done! Didn't work? Check the following: Is your username the same on both computers? ssh assumes it is and tries to log you in to the remote computer with the same username as your local account. If the usernames are different, you need to append "username@" to your call to ssh. You'd type this instead: ssh your_username@your_domain.com Check your file permissions - ssh is picky about file permissions (and for good reason!). If your permissions are too loose other users could copy your private keys, alter your keys, etc. ssh checks the file permsissions and will not continue if it believes things are not secure. Here's is the final .ssh directory listing for both sides : The local computer: drwxrwxr-x 2 jdoe jdoe 4096 Feb 26 07:43 . drwx------ 3 jdoe jdoe 4096 Feb 26 07:41 .. -rw------- 1 jdoe jdoe 887 Feb 26 07:43 id_rsa -rw-r--r-- 1 jdoe jdoe 615 Feb 26 07:42 known_hosts The remote server: drwx------ 2 jdoe jdoe 1024 Feb 26 07:20 . drwx--x--x 22 jdoe jdoe 14336 Feb 26 07:46 .. -rw-r--r-- 1 jdoe jdoe 241 Feb 26 07:16 authorized_keys2 -rw-r--r-- 1 jdoe jdoe 1690 Dec 7 17:11 known_hosts You could even argue that this a bit loose. There's no real reason for group and other's to have read access to your files. Feel free to issue the command: chmod og-r .ssh/authorized_keys2 .ssh/known_hosts on the remote server and: chmod go-r .ssh/id_rsa .ssh/known_hosts on your local computer to tighten things up further. Directions for using keys with putty: (coming soon!)