[an error occurred while processing this directive]

by Jonathan Keeling


This document explains how to set up ssh to allow you to ssh to other hosts without having to type your password, so that ssh can be used for programs such as cvs, pvm and mpi which expect to use rsh to log in without passwords.

If you are just interested in getting passwordless ssh to work, and do not want to read all the details, you only need read the first section. These instructions should not compromise your security, but they do not explain how ssh security works.


1. Setting up passwordless RSA user authentication

1.1. How to do it

Create your RSA public/private key pair, by running: bash$ ssh-keygen. When prompted, agree with its default location for your key, $HOME/.ssh/identity and choose a passphrase (do not leave the passphrase blank, it is insecure) when asked to.

Copy your public key to whichever host(s) you want to log into. This means copying the contents of $HOME.ssh/identity.pub/ on the machine where you created the key, to $HOME.ssh/authorized_keys/ on the machine you want to log into. For machines within college, this translates as bash$ cat .ssh/identity.pub >> .ssh/authorized_keys

You will now want to use ssh-agent to manage your ssh key. This means you will enter your passphrase once, whenever you log in, and will not be prompted again. If you have logged in using X (a graphical login), all you need do is bash$ ssh-add and it will prompt you to enter your passphrase.

If you are not using a graphical terminal, you will need to start a process under ssh-agent, so it can manage your keys. In most cases, this means bash$ ssh-agent bash Which will start a new shell, you then add your key as normal.

You may wish to add a line to your .Xsession file, so that you are prompted for your passphrase as soon as you log in. If you add the line

	  cat /dev/null| ssh-add
	
before it starts your window manager, then ssh-askpass should appear and ask you your passphrase.

If you encounter problems, try bash$ ssh -v HOSTNAME which will print out verbose debugging information, allowing you to see exactly where it is failing.


1.2. Technical details

1.2.1. Why do you need a passphrase?

You can leave the passphrase blank, to avoid ever having to type in a password/passphrase. However, because homespace on the nem-net and kwok-linux machines is exported via NFS, this can result in your private key being sent from the NFS server to the machine you are on in plain text.

To avoid this, you must either

  1. Use a passphrase, and either be prompted every time you try to log in, or use ssh-agent to manage your key(s). See "Using ssh-agent" Section 1.2.2 This works by encrypting your private key, using your passphrase, so that capturing the encrypted passphrase alone is useless.

  2. Save your private key on the local machine, e.g. in /var/tmp. Do this by changing where ssh-keygen saves your private key (when it prompts you), and passing this filename as the argument to ssh-add. If you do this, you should delete your key when you finish your session, and repeat all the steps when you try again. This is somewhat tiresome, but may be useful if you ever find yourself using a machine which you do not have an account on, but wish to use something like mpi, pvm or cvs from, which prefer you to have passwordless remote command invocation.


1.2.2. Using SSH Agent to manage keys

ssh-agent exists to manage your keys. Whenever you run ssh, or something which uses ssh, such as scp, it will try and establish a connection to ssh-agent, by looking at its parent until it either finds ssh-agent or runs out of processes. On many systems, when you log in using X, rather than just starting your X session, and window manager etc, the login program will start these from within ssh-agent for you, and so all you need to do is add the appropriate key.

If you are not using X, you will probably need to start ssh-agent yourself, and then run a shell, or occasionally a program such as screen under ssh-agent.

The ssh-add command tries to add a ssh key to your collection. By default it reads $HOME/.ssh/identity, but can be configured. If this key requires a passphrase to decode it, it will prompt for it. When run from within X, and if not presented with stdin to read the key from, on some systems it may use ssh-askpass to produce an X window for you to enter your passphrase in. This can normally be acheived by bash$ cat /dev/null | ssh-add

Connections to ssh agent are also forwarded over ssh connections. This means that if you log into box B from box A, and then box C from box B, the authentication is actually from the keys held by ssh-agent on box A. In practice there is no need to know about this, except that once you have entered your passphrase once, with ssh-add, you should never need do so again.


2. Using .shosts authentication

Warning

This method is less secure than RSA user authentication, but is still more secure than rsh. It is also a convenient way to set up passwordless ssh, but some machines may be configured not to allow .shosts authentication, whereas nearly all machines will allow RSA User Authentication.


2.1. How to do it.

  1. Create a .shosts file on the machine you want to log into (in your home directory, with permissions 644. This file should contain a list of hosts from which you want to be able to log in.

  2. You must then ensure that both machines have the correct host key for each other. This is achieved by logging in from each one to the other, using ssh, and using the fully qualified host name. i.e. bash$ ssh zeus.jesus.cam.ac.uk, not just bash$ ssh zeus


3. Further documentation

The following links explain details of how ssh works, and how to use it securely.

These pages are maintained by JCN. This file was last modified on 17/10/05. Copyright © JCN, 1998-2005.

Valid CSS!

Valid HTML 4.01!