[an error occurred while processing this directive]
This document explains how to set up ssh to allow you to ssh to other hosts without having to type your password, so that ssh can be used for programs such as cvs, pvm and mpi which expect to use rsh to log in without passwords.
If you are just interested in getting passwordless ssh to work, and do not want to read all the details, you only need read the first section. These instructions should not compromise your security, but they do not explain how ssh security works.
Create your RSA public/private key pair, by running: bash$ ssh-keygen. When prompted, agree with its default location for your key, $HOME/.ssh/identity and choose a passphrase (do not leave the passphrase blank, it is insecure) when asked to.
Copy your public key to whichever host(s) you want to log into. This means copying the contents of $HOME.ssh/identity.pub/ on the machine where you created the key, to $HOME.ssh/authorized_keys/ on the machine you want to log into. For machines within college, this translates as bash$ cat .ssh/identity.pub >> .ssh/authorized_keys
You will now want to use ssh-agent to manage your ssh key. This means you will enter your passphrase once, whenever you log in, and will not be prompted again. If you have logged in using X (a graphical login), all you need do is bash$ ssh-add and it will prompt you to enter your passphrase.
If you are not using a graphical terminal, you will need to start a process under ssh-agent, so it can manage your keys. In most cases, this means bash$ ssh-agent bash Which will start a new shell, you then add your key as normal.
You may wish to add a line to your .Xsession file, so that you are prompted for your passphrase as soon as you log in. If you add the line
If you encounter problems, try bash$ ssh -v HOSTNAME which will print out verbose debugging information, allowing you to see exactly where it is failing.
You can leave the passphrase blank, to avoid ever having to type in a password/passphrase. However, because homespace on the nem-net and kwok-linux machines is exported via NFS, this can result in your private key being sent from the NFS server to the machine you are on in plain text.
To avoid this, you must either
ssh-agent exists to manage your keys. Whenever you run ssh, or something which uses ssh, such as scp, it will try and establish a connection to ssh-agent, by looking at its parent until it either finds ssh-agent or runs out of processes. On many systems, when you log in using X, rather than just starting your X session, and window manager etc, the login program will start these from within ssh-agent for you, and so all you need to do is add the appropriate key.
If you are not using X, you will probably need to start ssh-agent yourself, and then run a shell, or occasionally a program such as screen under ssh-agent.
The ssh-add command tries to add a ssh key to your collection. By default it reads $HOME/.ssh/identity, but can be configured. If this key requires a passphrase to decode it, it will prompt for it. When run from within X, and if not presented with stdin to read the key from, on some systems it may use ssh-askpass to produce an X window for you to enter your passphrase in. This can normally be acheived by bash$ cat /dev/null | ssh-add
Connections to ssh agent are also forwarded over ssh connections. This means that if you log into box B from box A, and then box C from box B, the authentication is actually from the keys held by ssh-agent on box A. In practice there is no need to know about this, except that once you have entered your passphrase once, with ssh-add, you should never need do so again.
These pages are maintained by JCN. This file was last modified on 17/10/05. Copyright © JCN, 1998-2005.