How To SSH Login Without A Password: Using SSH-Keygen Quick Tutorial

A quick (very quick!) set of instructions on how to set up ssh login without password using ssh-keygen and ssh-copy-id. I was “inspired” to write this because of my “discovery” of ssh-copy-id! Wow did this save a few hair-tearing headaches!

Using ssh-keygen to set up ssh login without password

For this example, we are logged in as root on node01 and want to log in as root on node02 without password authentication. I will use RSA authentication (DSA is your second common choice)


Sponsored Links

So if you are already here, you already have a reason to set this up. If not, there are a lot of great reasons to use this, the primary being security (ssh is an encrypted port). One other really cool thing is that you can run X windows over ssh. Fantastic! Sure vncserver is a lot better from a UI standpoint, but 1) the ports aren’t always available, and 2) the traffic is not encrypted. So there you go (by the by: I use cygwin X to run X apps over ssh from my windows laptop).

Okay… so two steps to set up SSH login without a password using ssh-keygen.


Sponsored Links

Two Steps:

  1. Set up the public and private key (ssh-keygen) on node01
  2. Copy node01 public key (by default ~/.ssh/id_rsa.pub) to node02 (~/.ssh/authorized_keys)

Here’s how to do it: using ssh-keygen and ssh-copy-id

# ssh-keygen -t rsa

Generate the public and private keys on node01 using ssh-keygen -t rsa. Leave the passphrase blank, just hit return (after all you do not want a password)

[root@node01~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f1:50:cb:05:d5:34:7f:24:64:7f:d0:d6:18:5f:4b:1c root@node01
The key's randomart image is:
+--[ RSA 2048]----+
| ooo+XE=|
| o o .+X*|
| o o o*|
| + o|
| S . |
| |
| |
| |
| |
+-----------------+
[root@node01~]#

# ssh-copy-id -i ~/.ssh/id_rsa.pub root@node02

Copy node01′s public key to node02′s authorized_keys file using ssh-copy-id root@node02. While there are more “traditional” ways to transfer files like ftp/sftp, this way is the best way when doing your ssh-key authentication if you want to save yourself a lot of headache.


[root@node01~]# ssh-copy-id root@node02
The authenticity of host 'node02 (1.1.16.59)' can't be established.
RSA key fingerprint is 93:cb:37:1f:d7:86:21:24:ab:6d:6e:df:21:35:56:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node02,1.1.16.59' (RSA) to the list of known hosts.
root@node02's password:
[root@node01~]#

Now try logging into the machine, with “ssh ‘root@node02′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

By the way, the first time you log into a host, you will get the security warning. Just go through it to add the remote host (node02) key to the local host (node01) key – you will see this entry then show up in ~/.ssh/known_hosts

# ssh node02

You should now be able to ssh root@node01 -> root@node02


[root@node01~]# ssh node02
Last login: Thu Dec 20 17:20:16 2012 from 1.1.13.134
[root@node02~]#

# more ~/.ssh/authorized_keys (on node02)

You can check the node02 authorized_keys file to verify it looks good.


[root@node02~]# more .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4b51BFm5VaHW0LePeTbi1BATmPWPt
M3AsU0MF60N0q2d0pleyhNv0U6BvqCS5iiqD6+dChpGZ7XWwG+77gVMjCMZn8xQm
Oep3UFxXYne1yEBQEQrMAJvSKZ9AhHZHhPJUcDog56Lx5VrdjnyoXrTNWaVK00Zb+
uuMXG/DvDg4f+NMeuXijFVmRwRDt6dILitu+Fv6vEjjATwYul92LvX01FwiIqdqr
NRK6SICrJz1aqcBPMwG3OSCaL3+ZqoJYgRO4UYzAsCxgRuH98z1poBHtQDUksPBm
aclPIHOfBE3xm6edJHm5fw5ciq+SFtu5RsEsJxKtCZFRQ== root@node01
[root@node02~]#

DONE!

If that’s all you wanted you can stop reading here. Otherwise, continue!

Why Use ssh-copy-id? ( a.k.a. an old dog can learn new tricks.)

Sysadmins are creatures of habit. Me being a 15+ year sysadmin, let’s say I’m a huge creature of habit. In linux/unix there are MANY ways to accomplish the same thing, and once a sysadmin finds a way to do something, he will continue doing that for the rest of time. It will take some sort of major happening to change this.

Which is why I’m writing this because step 2) above, copying the id_rsa.pub file, is usually done through “normal” methods like sftp/ftp to transfer a file. However, this can lead to quite a few problems and headaches. I recently discovered the ssh-copy-id command on linux and am just too happy!

Now the “old way” of accomplishing step 2 would be to concatenate the file using “normal” methods of file transfer and copy like sftp, ftp, or even copy and paste. And that is how you will have to do it if no ssh-copy-id command exists on your OS.

Doing it manually can have some issues you need to be careful of

  1. First, because the public key is just one long line of text, so with copying and pasting you are copying new lines or even other characters and so this won’t work
  2. Second, during your sftp/ftp you may forget to rename it and may accidentally write over node02′s id_rsa.pub(BAD!)
  3. Third, you have to remember to concatenate, not write over. Because there may already be existing public keys in the authorized_keysfile and writing over this means previous hosts set up to ssh login without password will no longer work!!!
  4. Lastly, even if you do everything right with your sftp – it STILL may not work! I have had this happen to me. I was attempting to get two nodes to talk to each other and no matter how many times I did the exact same steps on both nodes, one node would not login to the other node properly. I even wasted about 30 minutes doing it over and over and over again and still the same frustrating resultsSeriously…I wrestled for 30 minutes with this problem when using the “manual” way

    root@node02 -> root@node01 = YES WAY ALRIGHT! :)
    root@node01 -> root@node02 = NO WAY JOSE! :(

The ssh-copy-id command will take care of all the above for you – no more gotchas! So if it is available (on most linux it should be, not sure about unix), use it. If not, then it’s a good idea to backup your remote host ~/.ssh directory (most notably the files: id_rsa.pub and authorized_keys) before doing the process manually.

Enjoy! Good luck!

, , Linux, Unix

3 thoughts on “How To SSH Login Without A Password: Using SSH-Keygen Quick Tutorial

    • If you are overly concerned about security, use DSA. If you are overly concerned about performance and speed of verification, use RSA. Otherwise, there is really no difference and you can use either. Some people have irrational preferences (like me :D for RSA!)

Leave a Comment

Your email address will not be published. Required fields are marked *

Spam protection by WP Captcha-Free