Password-less SSH
Introduction
Disclaimer: This HOWTO might be a bit basic for some - It was written for a Wiki at work, and doesn't assume much more than a perfunctory knowledge of SSH.
SSH is a must have program for anyone who likes to be able to connect to machines remotely, and who's comfortable with the UNIX shell. It allows shell access to machines running the SSH server, giving you a similar level of control over the machine as if you were actually sat at it, without relying on VPN connections, or slowly refreshing remote desktops.
SSH also has the advantage of being secure. Unlike it's oldschool counterparts rsh and telnet, which send passwords, (and commands -- in fact, everything -- in cleartext), SSH creates an encrypted tunnel through which all information flows.
There are several modes of authentication which can be used by SSH, the most common being keyboard (where you type your password manually), and keyed, where you must authenticate by giving the password to a signed key (which in this case must reside on the server). The keyed mode of authentication is most convenient because it can allow password-less login.
Chances are, if you've found your way here, that you know this already, and just want to know how to set up your machines so you don't need to keep on typing your password, if so, read on:
Setting up Passwordless Login
This is without a doubt the coolest thing that you can do with SSH. It's also fairly easy, requiring only a text editor, and root access to the machine you work on. Here's my current favourite passwordless SSH recipe (based on this article, on uwstopia, a particularly cool GNOME developer's blog).- Install pam-ssh (libpam-ssh in Debian).
- Decide which file you need to edit.
- If you login to a terminal, and then startx (or not if you're
really hardcore) from there, then the file you'll need to edit in
step 3 is
/etc/pam.d/login. - If you use a graphical login manager, then the file you'll need to edit will depend on which one:
- Debian, Ununtu and FC systems use GDM, so the file you need
to edit is
/etc/pam.d/gdm - If you're a KDE kinda person, then it'll probably be:
/etc/pam.d/kdm - Otherwise, it's probably
/etc/pam.d/xdm
- If you login to a terminal, and then startx (or not if you're
really hardcore) from there, then the file you'll need to edit in
step 3 is
- Load the file in your editor (as root, or with sudo):
sudo vim /etc/pam.d/gdm
- Find:
@include common-auth
Now add@include pam-ssh-auth
to the next line. Now find:@include common-session
Then add:@include pam-ssh-session
to the next line. Repeat this for as many as the above files as you like. - Make sure your login password is the same as your SSH key's
password. 5. Log-out, and back in. 6. Try to login to a machine with
your keys on:
ssh eepc-njm6 ee1mpf@eepc-njm6 ~ $
...and like above it should just work!
SSH in Cron
Before too long, you're going to want to use ssh (or something like rsync) from cron -- this is where passwordless SSH comes in really handy. By putting the right stuff in your config files, you can set up the same kind of password caching as we did for logging in, and forgo the all to common method of using keys with blank passwords. Here's how:
- Open up /etc/pam.d/cron and do the same as above.
- There is no step 2! Sorry Instiki!