Passwordless SSH

建立免敲密碼的安全登入

All of this information is from the manpages for ssh, ssh-keygen and ssh-agent.

Setting up the keys

Create keys of all sorts, so it will always work (some old computers only serve ssh1):

ssh-keygen -t rsa
#ssh-keygen -t dsa # don’t use this one unless rsa doesn’t work
ssh-keygen -t rsa1
Agree to the default names but give them passwords when you do this. I’d give each key the same password for ease of use. Then authorise your keys for all systems that share your home directory:

cd ~/.ssh
cat *.pub >> authorized_keys
Copying your ~/.ssh/authorized_keys to ~/.ssh/authorized_keys on an external system will let you passwordlessly ssh there too.

I originally wrote these instructions for RedHat 7.3. If you are using that, then skip to those instructions. Otherwise keep reading.

Testing the keys

You will want ssh-agent running, many modern distributions set this up for you. If

echo $SSH_AGENT_PID
returns a number then ssh-agent is set up. Otherwise start a temporary copy for testing with:

exec ssh-agent bash
(if you need this temporary fix, read the next section for a better solution.)

To tell ssh-agent your password, use:

ssh-add
Now (hopefully) any ssh process which can see your ssh-agent (eg by being started from the bash shell above) can log into all the hosts that can see your ~/.ssh/authorized_keys file. If not see the troubleshooting section.

Making everything run automatically

You may want to run ssh-add whenever you log in. Use:

ssh-add < /dev/null
to make it pop up a dialog box for your password. In some distributions you can add this command to a ~/.xinitrc script, but the exact procedure for making things run on login to X-windows varies.

(Only) if ssh-agent does not run automatically, you probably want to configure your X11 session to be started with ssh-agent (rather than a single shell as above). Then all your ssh sessions will see the agent. To do this, change:

exec xinit … to exec ssh-agent xinit …

in whatever script starts X-windows (eg startx, or your xdm configuration).

An alternative to making X11 a child of ssh-agent is to start ssh-agent however is convenient for you, and then set $SSH_AGENT_PID in your shell’s configuration. Perhaps with something like:

export SSH_AGENT_PID=`ps h –format ‘%P’ -C ssh-agent | head -1`
if you use bash/zsh/ksh/… or for (t)csh use:
setenv SSH_AGENT_PID `ps h –format ‘%P’ -C ssh-agent | head -1`
When things are set up properly you’ll only have to type in your keys’ password once after you log into X-windows.

Troubleshooting

It doesn’t work

ssh is very fussy about file permissions. Try:
chmod go-rwx ~/.ssh/*

Otherwise, I’m not sure. Remember that “ssh -vvv” gives very verbose debugging information (use fewer v’s for less).

I’ve ssh’d computer A, now I must retype my password to ssh computer B from that!?

If this is not what you wanted, you should change your default settings or use the -A option when sshing the first computer. This forwards a connection to your ssh-agent.

Now I have to type in my password twice?

On logging on you now have to type your login password and a password to unlock your keys to ssh-agent. Note that these passwords are for different things and can be different. Having a blank password on your keys is a bad idea, especially if you use NFS. I don’t know of a way to get the login program to pass a password onto ssh-agent (without a lot of hacking).

What’s the relationship between my login password and my ssh keys?

None. If your account is compromised you need to change your password and your ssh keys. If you only change your password your old ssh keys will still allow access to your account (and vice versa). Also remember the password you use to encrypt your keys is stored separately from your login password; nothing forces them to be the same.

RedHat specific

This is based on unarmed combat with RedHat 7.3

Run switchdesk which will create ~/.Xclients and ~/.Xclients-default. Open ~/.Xclients in a text editor and replace:

exec … with exec ssh-agent …

wherever it occurs. Then open ~/.Xclients-default and add:

ssh-add < /dev/null

on a line by itself before any lines that exec anything.

Shutdown your X-windows session and restart it. You’ll be asked for your ssh keys’ password once only.