Editing Passwordless SSH (and RSH) Logins
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 2: | Line 2: | ||
− | ''' | + | '''SSH''' |
The info below comes from Robert G Brown (aka RGB) at Duke University email on the Beowulf list. | The info below comes from Robert G Brown (aka RGB) at Duke University email on the Beowulf list. | ||
Line 10: | Line 10: | ||
Now, let's arrange it so that we can login to a remote host (also running sshd) without a password. Let's start by seeing if we can login to the remote host at all, I<with> a password: | Now, let's arrange it so that we can login to a remote host (also running sshd) without a password. Let's start by seeing if we can login to the remote host at all, I<with> a password: | ||
− | |||
rgb@lucifer|T:151>ssh lilith | rgb@lucifer|T:151>ssh lilith | ||
+ | |||
The authenticity of host 'lilith (192.168.1.131)' can't be established. | The authenticity of host 'lilith (192.168.1.131)' can't be established. | ||
+ | |||
RSA key fingerprint is 8d:55:10:15:8b:6c:64:65:17:00:a7:84:a3:35:9f:f6. | RSA key fingerprint is 8d:55:10:15:8b:6c:64:65:17:00:a7:84:a3:35:9f:f6. | ||
+ | |||
Are you sure you want to continue connecting (yes/no)? yes | Are you sure you want to continue connecting (yes/no)? yes | ||
+ | |||
Warning: Permanently added 'lilith,192.168.1.131' (RSA) to the list of known hosts. | Warning: Permanently added 'lilith,192.168.1.131' (RSA) to the list of known hosts. | ||
+ | |||
rgb@lilith's password: | rgb@lilith's password: | ||
+ | |||
rgb@lilith|T:101> | rgb@lilith|T:101> | ||
− | + | ||
>> | >> | ||
Line 27: | Line 32: | ||
To avoid this, we use the ssh-keygen command to generate a public/private ssh key pair of our very own: | To avoid this, we use the ssh-keygen command to generate a public/private ssh key pair of our very own: | ||
− | |||
rgb@lucifer|T:104>ssh-keygen -t rsa | rgb@lucifer|T:104>ssh-keygen -t rsa | ||
+ | |||
Generating public/private rsa key pair. | Generating public/private rsa key pair. | ||
+ | |||
Enter file in which to save the key (/home/rgb/.ssh/id_rsa): | Enter file in which to save the key (/home/rgb/.ssh/id_rsa): | ||
+ | |||
Enter passphrase (empty for no passphrase): | Enter passphrase (empty for no passphrase): | ||
+ | |||
Enter same passphrase again: | Enter same passphrase again: | ||
+ | |||
Your identification has been saved in /home/rgb/.ssh/id_rsa. | Your identification has been saved in /home/rgb/.ssh/id_rsa. | ||
+ | |||
Your public key has been saved in /home/rgb/.ssh/id_rsa.pub. | Your public key has been saved in /home/rgb/.ssh/id_rsa.pub. | ||
+ | |||
The key fingerprint is: c3:aa:6b:ba:35:57:95:aa:7b:45:48:94:c3:83:81:11 | The key fingerprint is: c3:aa:6b:ba:35:57:95:aa:7b:45:48:94:c3:83:81:11 | ||
− | + | ||
>> | >> | ||
Line 44: | Line 55: | ||
A more secure option is to use a non-blank passphrase. In this case, you will have to use a couple more ssh tools (once per session). | A more secure option is to use a non-blank passphrase. In this case, you will have to use a couple more ssh tools (once per session). | ||
− | |||
guest@localhost$ ssh-agent $SHELL | guest@localhost$ ssh-agent $SHELL | ||
guest@localhost$ ssh-add | guest@localhost$ ssh-add | ||
Enter passphrase for /home/guest/.ssh/id_rsa: | Enter passphrase for /home/guest/.ssh/id_rsa: | ||
Identity added: /home/guest/.ssh/id_rsa (/home/guest/.ssh/id_rsa) | Identity added: /home/guest/.ssh/id_rsa (/home/guest/.ssh/id_rsa) | ||
− | |||
If entering the passphrase once per session is annoying, then you should try [http://www.gentoo.org/proj/en/keychain/index.xml keychain], which will reuse ssh-agents across all of your sessions. The associated IBM developerWorks articles are very nice introductions to openssh public key authentication. | If entering the passphrase once per session is annoying, then you should try [http://www.gentoo.org/proj/en/keychain/index.xml keychain], which will reuse ssh-agents across all of your sessions. The associated IBM developerWorks articles are very nice introductions to openssh public key authentication. | ||
Line 55: | Line 64: | ||
The last step is to create an authorized keys file in your ~/.ssh directory. If your home directory is NFS exported to all the nodes, then you are done; otherwise you'll also need to copy the I<entire .ssh directory> to all the hosts that don't already have it mounted. The following illustrates the steps and a test. | The last step is to create an authorized keys file in your ~/.ssh directory. If your home directory is NFS exported to all the nodes, then you are done; otherwise you'll also need to copy the I<entire .ssh directory> to all the hosts that don't already have it mounted. The following illustrates the steps and a test. | ||
− | |||
rgb@lucifer|T:113>cd .ssh | rgb@lucifer|T:113>cd .ssh | ||
+ | |||
rgb@lucifer|T:114>ls | rgb@lucifer|T:114>ls | ||
+ | |||
id_rsa id_rsa.pub known_hosts | id_rsa id_rsa.pub known_hosts | ||
+ | |||
rgb@lucifer|T:115>cp id_rsa.pub authorized_keys | rgb@lucifer|T:115>cp id_rsa.pub authorized_keys | ||
+ | |||
rgb@lucifer|T:116>cd .. | rgb@lucifer|T:116>cd .. | ||
+ | |||
rgb@lucifer|T:118>scp -r .ssh lilith: | rgb@lucifer|T:118>scp -r .ssh lilith: | ||
+ | |||
rgb@lilith's password: | rgb@lilith's password: | ||
+ | |||
known_hosts 100% |*****************************| 231 00:00 | known_hosts 100% |*****************************| 231 00:00 | ||
+ | |||
id_rsa 100% |*****************************| 883 00:00 | id_rsa 100% |*****************************| 883 00:00 | ||
+ | |||
id_rsa.pub 100% |*****************************| 220 00:00 | id_rsa.pub 100% |*****************************| 220 00:00 | ||
+ | |||
authorized_keys 100% |*****************************| 220 00:00 | authorized_keys 100% |*****************************| 220 00:00 | ||
+ | |||
rgb@lucifer|T:120>ssh lilith | rgb@lucifer|T:120>ssh lilith | ||
+ | |||
rgb@lilith|T:101> | rgb@lilith|T:101> | ||
− | + | ||
>> | >> | ||
Line 90: | Line 110: | ||
Most Linux distro's are setup with some sensible default firewall settings. Remember to modify them so SSH is allowed in '''both''' directions! | Most Linux distro's are setup with some sensible default firewall settings. Remember to modify them so SSH is allowed in '''both''' directions! | ||
− | |||
− | |||
− | |||
− | |||
− | |||