Robert Nicholas (ren10@psu.edu), Earth and Environmental Systems Institute, Penn State University

updated 24 June 2014

Introduction

SSH is a great tool for securely connecting to remote systems via the command line; however, the need to enter your password each time can quickly become tedious. This is especially true if you’re using multiple systems for which you need to remember different passwords or if you’re hoping to automate tasks that require SSH in some way.

In this brief tutorial, I describe a method for using cryptographic keys to enable passwordless connections for utilities using the SSH protocol. This method is known to work on Linux, OS X, BSD, and other Unix-like operating systems. It probably also works on Windows under Cygwin and portions of this approach may work with the excellent MobaXTerm, but neither of these have been tested. The examples below assume you have a Penn State login ID and are trying to connect to one of SCRiM’s big Linux machines, but the general procedure should work for connecting to most Unix-y systems running an OpenSSH server. For information on how to set up passwordless SSH for Chrome’s Secure Shell app, see “Can I connect using a public key pair or certificate?” in this FAQ.

A Word on Security

I recommend the procedure outlined below on the assumption that computer and account from which you are connecting is itself secure (e.g. has a strong password, is physically secured, and has no open network services that allow unsecured remote access). NEVER use this procedure if another (even trusted) individual has access to this account and NEVER share your Penn State password with anyone else. See policy AD20 for more information on security requirements for users of Penn State computing systems.

Preliminaries

First, let’s do a little work to streamline SSH connections, regardless of whether you decide to go the passwordless route or not. In these examples, we assume you have a Penn State login ID abc123 and that you’ll be logging into both woju.scrim.psu.edu and mizuna.scrim.psu.edu. In this case, both machines happen to mount the same set of home directories (the home directories are on a disk array directly attached to woju and mounted over the network by mizuna, in case you’re curious), which will simplify our work in subsequent steps.

At the shell (Terminal on OS X, Terminal or virtual console on Linux), type the following:

umask 077
mkdir -p ~/.ssh
cd ~/.ssh

Next, use the console editor of your choice to create or modify the SSH configuration file. To use the nano editor for this, type

nano config

and add the following lines to the file, replacing abc123 with your Penn State login ID:

Host woju
    HostName woju.scrim.psu.edu
    User abc123

Host mizuna
    HostName mizuna.scrim.psu.edu
    User abc123

As per the on-screen help, press control-X, Y, and then enter to save and exit.

What we’ve done here is create a set of aliases that allow you to log these two remote systems with fewer keystrokes. Now, instead of typing

ssh abc123@woju.scrim.psu.edu

you can simply type

ssh woju

to connect to woju. Try it out and confirm that it works for both systems; note that you’ll still need your password at this point.

Setting up the Keys and Logging In

While at the command prompt (making sure you’re still in ~/.ssh), type

ssh-keygen

and keep hitting enter until the command completes. This generates a public (id_rsa.pub) and private (id_rsa) key pair, which you should be able to see by typing ls. Next, we’ll transfer the public key to the remote host. Carefully type the following at the command prompt (all on one line) and hit enter:

cat id_rsa.pub | ssh woju 'umask 077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

Note that you’ll be prompted for your password again, but this should be the last time.

And that’s it. Try

ssh woju

and

ssh mizuna

to confirm that you can now connect without a password. If it doesn’t work, carefully review the above steps or contact tech@scrim.psu.edu for assistance.

Final Notes

The work you’ve done in setting up passwordless SSH will simplify other tasks that use the OpenSSH protocol; secure copy (scp) and secure file transfer protocol (sftp) to/from woju and mizuna should also now work without a password. Other applications that use OpenSSH for secure connections (e.g. SSHFS in MacFUSE, ExpanDrive, Transmit, CyberDuck) should also be able to connect to woju and mizuna without a password.

Finally, please remember that your SSH connection is only secure if the hosts on each end are secure as well. We have a great team helping ensure the security of SCRiM’s computing systems. Please make sure the computers you use are secure by using strong passwords and smart physical security.