Password less ssh
How does password-less SSH works
SSH (or SFTP, 'scp') can be used in a password-less mode, where authentication is used between client and server.
When password-less mode is configured, a given user on a given client server can connect through SSH to a given server without explicitly providing the password, because server has a way (through private/public key) to authenticate the client (validate that "you are who you say you are").
How private/public keys work
Public/private key pairs work like this:
- Data that is encrypted with one of these keys can only be decrypted with the other (and vice versa)
- Private key is never given to anyone, used only by the owner of that key to encrypt data that it sends
- Public key is sent to anyone that needs to receive data from that owner
- Successfully decrypting data using the public key authenticates that this data was in fact send by the owner, and no one else
Using private/public keys with SSH
- A private/public key pair is generated, by a given user, on the client host
- The private key is kept secret on the client host (with great care, in the user's home folder)
- The public key is sent to the server host, in the home folder of the user account on the server
- When SSH session is established
- The private key is used by client host
- The server uses the public key to authenticate the client (be sure that the client is who he pretends to be), and allows login
Is it secure?
Password-less SSH is known to be secure, as long as the client's private key remains private.
It it thus extremely important to keep the private key file securely on the client server, in the home directory of the user that uses it (~/.ssh/) and without any read or write permission to anyone but the owner.
How to setup password-less SSH login
Password-less SSH login is configured with the following steps:
- On the client host:
- Login using the user account to setup password-less SSH for
- Create the private/public key pair using the command ssh-keygen -t dsa
- Do not enter a passphrase
- On the server host:
- Login using the user account that will be used for these SSH password-less connections
- Add the public key to the "authorized_keys2" file
- Generate the private/public key pair:
ssh-keygen -t dsa
The command output should look like this:
Generating public/private dsa key pair. Enter file in which to save the key (/home/my_client_user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/my_client_user/.ssh/id_dsa. Your public key has been saved in /home/my_client_user/.ssh/id_dsa.pub. The key fingerprint is: 01:23:45:67:89:01:23:45:67:89:01:23:45:67:89:01 my_client_user@my_client_host
- Upload the public key to the server (here we use a remote SSH command to append to authorized_keys2 file on the server):
cat /home/my_client_user/.ssh/id_dsa.pub | ssh my_server_host -l my_server_user 'sh -c "cat - >>~/.ssh/authorized_keys2"'
Then you'll be prompted for the password (obviously, since password-less SSH is not yet setup!)
We can also use this command to push the public key from the client host (instead of the previous command cat and ssh):