====== Automatic SSH Logins ====== How to make SSH logins safer (by using keys instead of short passwords) and simpler (by having less stuff to remember). ===== Creating your Identity ===== To identify your self you need a keypair (public and private key). Create it using [[man>ssh-keygen]] like this: $> ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: 88:13:b1:5e:36:eb:57:2d:5e:2e:0f:08:ab:72:61:be user@host Be sure to use a good passphrase. Use a longer but easy to remember (for you) sentence. ===== Using Keychain ===== {{ http://www.gentoo.org/images/keychain-2.gif?200}} To avoid having to type the passphrase everytime you need to access your key (when using it to authenticate yourself), we use [[man>ssh-agent]]. And to make sure there is always a global ssh-agent running and the environment is set up correctly we utilize [[http://www.gentoo.org/proj/en/keychain/index.xml|keychain]]. Keychain is available as Debian package: #> apt-get install keychain Now we need to run it everytime it's needed - the best way is to include it into you ''~/.bashrc'' like this: #ssh keymanager if [ "$PS1" ]; then if [ -e /usr/bin/keychain ]; then keychain ~/.ssh/id_dsa if [ -e ~/.ssh-agent-${HOSTNAME} ]; then . ~/.ssh-agent-${HOSTNAME} fi if [ -e ~/.keychain/${HOSTNAME}-sh ]; then . ~/.keychain/${HOSTNAME}-sh fi fi fi This will call keychain if it is installed and add your identity to the running ssh-agent. If no ssh-agent is running it will start one and you will be asked for your passphrase. Then all needed environment info is written to ''~/.ssh-agent-${HOSTNAME}'' or -- depending on the keychain version -- to ''~/.keychain/${HOSTNAME}-sh'' which gets sourced into your ''.bashrc''. Try it: $> echo $SSH_AGENT_PID 503 ===== Authenticate by Key ===== So now what to do with your shiny new identity stored in the running ssh-agent? Authenticate without a password of course! It's simple imagine a remote host you usually log on to with ''ssh somebody@the.remote.host'' and entering //somebody//s password. You only have to do this one more time - but this time use [[man>ssh-copy-id]] instead of ssh: $> ssh-copy-id somebody@the.remote.host somebody@the.remote.host's password: Now try logging into the machine, with "ssh 'somebody@the.remote.host'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. Do as you're told and try to login. If everything went well you will not be prompted to enter a password anymore. ===== Take your identity with you ===== Do you have multiple host in your LAN to administrate? Do you sometimes hop from host to host? Well first of all copy your key to all these hosts as described in the last section. But this still will not allow you to log into //Host A// and going passwordless to //Host B// from there. This is because your identity (and your ssh-agent) are only running on your own machine - not on //Host A//. SSH supports something called Agent-Forwarding. You can either remember to add the commandline option ''-A'' everytime you call ssh: $> ssh -A somebody@the.remote.host or you can add it to the ''/etc/ssh/ssh_config'' file on your host to enable it by default: Host * ForwardAgent yes To check if it worked you can use [[man>ssh-add]] to show your identity: $> ssh-add -L It should print your public key. ===== Managing SSH Connections ===== Now you're already able to login to all your favourite hosts without typing any passwords. Unfortunately you still have to type all the host- and usernames. Lets get another tool: [[http://sshmgr.sourceforge.net/|connmgr]]. Download and install the Debian package: $> wget http://mesh.dl.sourceforge.net/sourceforge/sshmgr/connmgr_1.0.0-1_all.deb #> dpkg -i connmgr_1.0.0-1_all.deb Now can add and use SSH connection profiles by using ''sshmgr'': **Adding a new profile**: $> sshmgr -a remote add profile: remote enter hostname: the.remote.host enter username [user]: somebody enter port number [22]: enter pre-command [none]: $ successfully added the profile: "remote". **Connecting to a profile**: $> sshmgr remote Jipp thats it. And the best thing is it supports BASH completion so ''sshmgr rem'' does work :-D.