Using SSH for Passwordless Remote Login

Secure Shell or SSH is a network protocol allowing secure data exchanges between two networked devices. It is designed to replace Telnet, which sends information over the network in plain text making it susceptible to interception or eavesdropping. SSH, on the other hand, provides secure communication by encrypting the data sent over the network. It is typically used to login to a remote computer and to execute commands remotely. Aside from this, SSH can also be used to securely transfer files using scp or sftp, forward TCP ports, SSH tunneling, among others.

The following is my outline on how to use SSH for passwordless remote login. Of course, this is far from being complete and some of the things below may not work perfectly with your setup. There are many howtos regarding this topic and you should be able to find the one that is appropriate for your system.

1. Generating key pairs

SSH uses public-key cryptography to authenticate remote computers. In this form of cryptography, a user has a public key, which can be widely distributed, and a private key, which should be kept secret. Before you can use SSH, you will need to generate this key pair. You can do this using ssh-keygen, as follows.

[baggy@mycomp] ssh-keygen    
Generating public/private rsa key pair.     
Enter file in which to save the key (/home/baggy/.ssh/id_rsa): (hit enter to use the default value)
Enter passphrase (empty for no passphrase): (enter a passphrase or hit enter for empty passphrase)
Enter same passphrase again: (enter the same passphrase here)     
Your identification has been saved in /home/baggy/.ssh/id_rsa.     
Your public key has been saved in /home/baggy/.ssh/id_rsa.pub.     
[baggy@mycomp]

Note that in the above, a passphrase refers to a string of words and characters that will be used to authenticate you when you want to use your ssh identification. It differs from a password in that you can use spaces or tabs and it is also usually longer. Generally, it is a phrase and not just a single word.

To generate different types of key pairs such as DSA or RSA, you can use the -t option of ssh-keygen. For example, the command should be ssh-keygen -t dsa to generate a DSA key pair. After generating your key pair, you’ll need to install your public key to the remote systems you are planning to connect.

2. Installing the public key to remote machines you want to connect

To install your public key, you can use ssh-copy-id if this command is available.

[baggy@mycomp] ssh-copy-id baggy@remote.machine.com    
baggy@remote.machine.com's password: (enter your password for remote machine)
Now try logging into the machine, with "ssh 'baggy@remote.machine.com'", and check in:     
      .ssh/authorized_keys     
to make sure we haven't added extra keys that you weren't expecting.    
[baggy@mycomp]

Replace baggy@remote.machine.com with your actual username and the hostname of the remote machine. If ssh-copy-id is not available, you can use scp to copy your public key file to the remote computer, then add this file to authorized_keys file in your home directory’s .ssh subdirectory.

You can now try connecting to your remote system using the following:

[baggy@mycomp] ssh baggy@remote.machine.com    
Enter passphrase for key '/home/baggy/.ssh/id_rsa': (enter passphrase here)
Last login: Tue Aug 18 08:08:08 from mycomp.localbox.com    
[baggy@remote]

As you might have noticed, instead of asking for the password of the remote machine, SSH asked the passphrase of your SSH identity. The advantage of this over using a password is that the passphrase is never transmitted over the network making the approach safer. If SSH still asks for a password, verify your remote system’s sshd configuration and make sure that RSA/DSA authentication is enabled.

Okay, you don’t type your password but it still requires you to type your passphrase. The password is just being replaced by the passphrase, sort of. So is there a way to do away with the passphrase also? Fortunately, the answer is yes and that is by using ssh-agent.

3. Using ssh-agent

ssh-agent is part of the OpenSSH package to manage RSA and DSA keys. It is a long running daemon designed to cache your decrypted keys so that SSH can communicate with it and use the cached keys without prompting you for a passphrase every time you make a remote connection. To add an identity managed by an ssh-agent, you can use ssh-add.

There are many ways to use ssh-agent. For me, since I only use it in a single shell, I just use the following:

[baggy@mycomp] ssh-agent /bin/bash   
[baggy@mycomp] ssh-add     
Enter passphrase for /home/baggy/.ssh/id_rsa: (enter passphrase here)
Identity added: /home/baggy/.ssh/id_rsa (/home/baggy/.ssh/id_rsa)     
[baggy@mycomp]

Within this shell, you can now remote login or run commands remotely without being prompted for a passphrase.