Table of Contents
Automatic SSH Logins
How to make SSH logins safer (by using keys instead of short passwords) and simpler (by having less stuff to remember).
Creating your Identity
To identify your self you need a keypair (public and private key). Create it using ssh-keygen like this:
$> ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: 88:13:b1:5e:36:eb:57:2d:5e:2e:0f:08:ab:72:61:be user@host
Be sure to use a good passphrase. Use a longer but easy to remember (for you) sentence.
Using Keychain
To avoid having to type the passphrase everytime you need to access your key (when using it to authenticate yourself), we use ssh-agent. And to make sure there is always a global ssh-agent running and the environment is set up correctly we utilize keychain.
Keychain is available as Debian package:
#> apt-get install keychain
Now we need to run it everytime it's needed - the best way is to include it into you ~/.bashrc
like this:
#ssh keymanager if [ "$PS1" ]; then if [ -e /usr/bin/keychain ]; then keychain ~/.ssh/id_dsa if [ -e ~/.ssh-agent-${HOSTNAME} ]; then . ~/.ssh-agent-${HOSTNAME} fi if [ -e ~/.keychain/${HOSTNAME}-sh ]; then . ~/.keychain/${HOSTNAME}-sh fi fi fi
This will call keychain if it is installed and add your identity to the running ssh-agent. If no ssh-agent is running it will start one and you will be asked for your passphrase. Then all needed environment info is written to ~/.ssh-agent-${HOSTNAME}
or – depending on the keychain version – to ~/.keychain/${HOSTNAME}-sh
which gets sourced into your .bashrc
.
Try it:
$> echo $SSH_AGENT_PID 503
Authenticate by Key
So now what to do with your shiny new identity stored in the running ssh-agent? Authenticate without a password of course! It's simple imagine a remote host you usually log on to with ssh somebody@the.remote.host
and entering somebodys password. You only have to do this one more time - but this time use ssh-copy-id instead of ssh:
$> ssh-copy-id somebody@the.remote.host somebody@the.remote.host's password: Now try logging into the machine, with "ssh 'somebody@the.remote.host'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Do as you're told and try to login. If everything went well you will not be prompted to enter a password anymore.
Take your identity with you
Do you have multiple host in your LAN to administrate? Do you sometimes hop from host to host? Well first of all copy your key to all these hosts as described in the last section. But this still will not allow you to log into Host A and going passwordless to Host B from there. This is because your identity (and your ssh-agent) are only running on your own machine - not on Host A.
SSH supports something called Agent-Forwarding. You can either remember to add the commandline option -A
everytime you call ssh:
$> ssh -A somebody@the.remote.host
or you can add it to the /etc/ssh/ssh_config
file on your host to enable it by default:
Host * ForwardAgent yes
To check if it worked you can use ssh-add to show your identity:
$> ssh-add -L
It should print your public key.
Managing SSH Connections
Now you're already able to login to all your favourite hosts without typing any passwords. Unfortunately you still have to type all the host- and usernames. Lets get another tool: connmgr. Download and install the Debian package:
$> wget http://mesh.dl.sourceforge.net/sourceforge/sshmgr/connmgr_1.0.0-1_all.deb #> dpkg -i connmgr_1.0.0-1_all.deb
Now can add and use SSH connection profiles by using sshmgr
:
Adding a new profile:
$> sshmgr -a remote add profile: remote enter hostname: the.remote.host enter username [user]: somebody enter port number [22]: enter pre-command [none]: $ successfully added the profile: "remote".
Connecting to a profile:
$> sshmgr remote
Jipp thats it. And the best thing is it supports BASH completion so sshmgr rem<TAB>
does work .