Passwordless SSH
If you generated keys using Debian and Ubuntu systems issued between 2006-09-17 and June 2008 then regenerate your keys! More information.
Here’s how to configure ssh to connect to any cluster machine without a password:
ssh-keygen -t rsa # accept the default filename and choose a password cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys # [Also copy authorized_keys to ~/.ssh on machines that don't mount the same home directory] chmod go-rwx ~/.ssh/* ssh-add # enter the password you chose before
It is possible to use a blank password, which is convenient. However, you shouldn’t. Assuming you do set a password you will need to run
ssh-add < /dev/null
at X startup. The method for starting applications automatically depends on the system. I don’t use the Gnome or KDE desktops, but I’m told you need to do the following:
Gnome: Click on System, choose Preferences, choose Sessions, select the Startup Programs tab, click on Add, and enter "ssh-add" as a command.
KDE: ln -s /usr/bin/ssh-add .kde/Autostart
Troubleshooting
It doesn’t work
ssh
is very fussy about file permissions. Try the following:
chmod go-rwx ~/.ssh/*
For ssh-add
to work, ssh-agent
needs to be set up and
running. But on at least Debian/Ubuntu systems, that part is sorted out by
default.
Otherwise, I’m not sure. Remember that “ssh -vvv
”
gives very verbose debugging information (use fewer v
’s for
less).
I’ve ssh’d computer A, now I must retype my password to ssh computer B from that!?
To use your local key to authenticate through a chain of computers,
use the -A
option to ssh. This option forwards a
connection to your ssh-agent
.
Now I have to type in my password twice?
On logging on you now have to type your login password and a password to
unlock your keys to ssh-agent
. Note that these passwords are for
different things and can be different. Having a blank password on your keys is a
bad idea, especially if you use NFS. I don’t know of a way to get the
login program to pass a password onto ssh-agent
(without a lot of
hacking).
What’s the relationship between my login password and my ssh keys?
None. Your encrypted keys are stored separately from the hash of your login password; nothing forces your key and login passwords to be the same. If your account is compromised you need to change your password and your ssh keys. If you only change your password, your old ssh keys will still allow access to your account (and vice versa).