A quick (very quick!) set of instructions on how to set up ssh login without password using ssh-keygen and ssh-copy-id. I was “inspired” to write this because of my “discovery” of ssh-copy-id! Wow did this save a few hair-tearing headaches!
For this example, we are logged in as root on node01 and want to log in as root on node02 without password authentication. I will use RSA authentication (DSA is your second common choice)
So if you are already here, you already have a reason to set this up. If not, there are a lot of great reasons to use this, the primary being security (ssh is an encrypted port). One other really cool thing is that you can run X windows over ssh. Fantastic! Sure vncserver is a lot better from a UI standpoint, but 1) the ports aren’t always available, and 2) the traffic is not encrypted. So there you go (by the by: I use cygwin X to run X apps over ssh from my windows laptop).
Okay… so two steps to set up SSH login without a password using ssh-keygen.
- Set up the public and private key (ssh-keygen) on node01
- Copy node01 public key (by default ~/.ssh/id_rsa.pub) to node02 (~/.ssh/authorized_keys)
Here’s how to do it: using ssh-keygen and ssh-copy-id
# ssh-keygen -t rsa
Generate the public and private keys on node01 using ssh-keygen -t rsa. Leave the passphrase blank, just hit return (after all you do not want a password)
[root@node01~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
| o o .+X*|
| o o o*|
| + o|
| S . |
# ssh-copy-id -i ~/.ssh/id_rsa.pub root@node02
Copy node01′s public key to node02′s authorized_keys file using ssh-copy-id root@node02. While there are more “traditional” ways to transfer files like ftp/sftp, this way is the best way when doing your ssh-key authentication if you want to save yourself a lot of headache.
[root@node01~]# ssh-copy-id root@node02
The authenticity of host 'node02 (126.96.36.199)' can't be established.
RSA key fingerprint is 93:cb:37:1f:d7:86:21:24:ab:6d:6e:df:21:35:56:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node02,188.8.131.52' (RSA) to the list of known hosts.
Now try logging into the machine, with “ssh ‘root@node02′”, and check in:
to make sure we haven’t added extra keys that you weren’t expecting.
By the way, the first time you log into a host, you will get the security warning. Just go through it to add the remote host (node02) key to the local host (node01) key – you will see this entry then show up in ~/.ssh/known_hosts
# ssh node02
You should now be able to ssh root@node01 -> root@node02
[root@node01~]# ssh node02
Last login: Thu Dec 20 17:20:16 2012 from 184.108.40.206
# more ~/.ssh/authorized_keys (on node02)
You can check the node02 authorized_keys file to verify it looks good.
[root@node02~]# more .ssh/authorized_keys
If that’s all you wanted you can stop reading here. Otherwise, continue!
Why Use ssh-copy-id? ( a.k.a. an old dog can learn new tricks.)
Sysadmins are creatures of habit. Me being a 15+ year sysadmin, let’s say I’m a huge creature of habit. In linux/unix there are MANY ways to accomplish the same thing, and once a sysadmin finds a way to do something, he will continue doing that for the rest of time. It will take some sort of major happening to change this.
Which is why I’m writing this because step 2) above, copying the id_rsa.pub file, is usually done through “normal” methods like sftp/ftp to transfer a file. However, this can lead to quite a few problems and headaches. I recently discovered the ssh-copy-id command on linux and am just too happy!
Now the “old way” of accomplishing step 2 would be to concatenate the file using “normal” methods of file transfer and copy like sftp, ftp, or even copy and paste. And that is how you will have to do it if no ssh-copy-id command exists on your OS.
Doing it manually can have some issues you need to be careful of
- First, because the public key is just one long line of text, so with copying and pasting you are copying new lines or even other characters and so this won’t work
- Second, during your sftp/ftp you may forget to rename it and may accidentally write over node02′s id_rsa.pub(BAD!)
- Third, you have to remember to concatenate, not write over. Because there may already be existing public keys in the authorized_keysfile and writing over this means previous hosts set up to ssh login without password will no longer work!!!
- Lastly, even if you do everything right with your sftp – it STILL may not work! I have had this happen to me. I was attempting to get two nodes to talk to each other and no matter how many times I did the exact same steps on both nodes, one node would not login to the other node properly. I even wasted about 30 minutes doing it over and over and over again and still the same frustrating resultsSeriously…I wrestled for 30 minutes with this problem when using the “manual” way
root@node02 -> root@node01 = YES WAY ALRIGHT!
root@node01 -> root@node02 = NO WAY JOSE!
The ssh-copy-id command will take care of all the above for you – no more gotchas! So if it is available (on most linux it should be, not sure about unix), use it. If not, then it’s a good idea to backup your remote host ~/.ssh directory (most notably the files: id_rsa.pub and authorized_keys) before doing the process manually.
Enjoy! Good luck!