Sometimes it is required that ssh login to a server or desktop should be password free i.e. when you ssh to such a machine it doesn’t prompt you for password. Imagine a situation where your backup scripts is trying to copy some data from remote machine to backup server using the rsync command. In such a case you would not want rsync command waiting for password of the remote server.
In this article we will learn how to make password free ssh logins.

ssh-keygen is an utility which creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

Step 1: Create public and private keys using ssh-key-gen on local-host

[root@localhost]$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):[Enter key]

Enter passphrase (empty for no passphrase): [Press enter key]

Enter same passphrase again: [Pess enter key]

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 [root@localhost]

Step 2: Copy the public key to remote-host using ssh-copy-id

[root@localhost]$ ssh-copy-id -i  ~/.ssh/id_rsa.pub remote-host

root@remote-host’s password:

Now try logging into the machine, with “ssh ‘remote-host'”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.

 Step 3: Login to remote-host without entering the password

[root@localhost]# ssh remote-host

Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2

[Note: SSH did not ask for password.]

 [root@remote-host]# [Note: You are on remote-host here]

The above 3 simple steps should get the job done in most cases.

Using ssh-copy-id along with the ssh-add/ssh-agent

When no value is passed for the option -i and If ~/.ssh/identity.pub is not available, ssh-copy-idwill display the following error message.

[root@localhost]$ ssh-copy-id -i remote-host

/usr/bin/ssh-copy-id: ERROR: No identities found

If you have loaded keys to the ssh-agent using the ssh-add, then ssh-copy-id will get the keys from the ssh-agent to copy to the remote-host. i.e, it copies the keys provided by ssh-add -Lcommand to the remote-host, when you don’t pass option -i to the ssh-copy-id.

[root@localhost]$ ssh-agent $SHELL

 [root@localhost]$ ssh-add -L

The agent has no identities.

 [root@localhost]$ ssh-add

Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

 [root@localhost]$ ssh-add -L

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsJIEILxftj8aSxMa3d8t6JvM79DyBV

aHrtPhTYpq7kIEMUNzApnyxsHpH1tQ/Ow== /root/.ssh/id_rsa

 [root@localhost]$ ssh-copy-id -i remote-host

root@remote-host’s password:

Now try logging into the machine, with “ssh ‘remote-host'”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[Note: This has added the key displayed by ssh-add -L]

Three Minor Annoyances of ssh-copy-id

Following are few minor annoyances of the ssh-copy-id.

  1. Default public key: ssh-copy-id uses ~/.ssh/identity.pub as the default public key file (i.e when no value is passed to option -i). Instead, I wish it uses id_dsa.pub, or id_rsa.pub, or identity.pub as default keys. i.e. if any one of them exist, it should copy that to the remote-host. If two or three of them exist, it should copy identity.pub as default.
  2. The agent has no identities: When the ssh-agent is running and the ssh-add -L returns “The agent has no identities” (i.e. no keys are added to the ssh-agent), the ssh-copy-id will still copy the message “The agent has no identities” to the remote-host’s authorized_keys entry.
  3. Duplicate entry in authorized_keys: I wish ssh-copy-id validates duplicate entry on the remote-host’s authorized_keys. If you execute ssh-copy-id multiple times on the local-host, it will keep appending the same key on the remote-host’s authorized_keys file without checking for duplicates. Even with duplicate entries everything works as expected. But, I would like to have my authorized_keys file clutter free.

 

Posted in: Linux.
Last Modified: January 12, 2017

Leave a reply