Passwordless SSH
This information is from the manpages for ssh, ssh-keygen and ssh-agent.
If you generated keys using Debian and Ubuntu systems issued between 2006-09-17 and June 2008 then regenerate your keys! More information (the CSLAB systems were unaffected).
Here’s how to configure ssh to connect to any cluster machine without a password:
ssh-keygen -t rsa
# accept the default filename and choose a password
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# [Also copy authorized_keys to ~/.ssh on machines that don't mount the same home directory]
chmod go-rwx ~/.ssh/*
ssh-add
# enter the password you chose before
It is possible to use a blank password, which is convenient. However, you shouldn’t. Assuming you do set a password you will need to run
ssh-add < /dev/null
at X startup. Exactly how to do this depends on the system. I don't use the Gnome or KDE desktops, but I’m told you need to do the following:
Gnome: Click on System, choose Preferences, choose Sessions, select the Startup Programs tab, click on Add, and enter "ssh-add" as a command.
KDE:
ln -s /usr/bin/ssh-add .kde/Autostart
Troubleshooting
It doesn’t work
ssh is very fussy about file permissions. Did you do?
chmod go-rwx ~/.ssh/*
For ssh-add to work, ssh-agent needs to be set up and running. But on at least Debian/Ubuntu systems, that part is sorted out by default.
Otherwise, I’m not sure. Remember that “ssh -vvv” gives very verbose debugging information (use fewer v’s for less).
I’ve ssh’d computer A, now I must retype my password to ssh computer B from that!?
If this is not what you wanted, you should change your default settings or use the -A option when sshing the first computer. This forwards a connection to your ssh-agent.
Now I have to type in my password twice?
On logging on you now have to type your login password and a password to unlock your keys to ssh-agent. Note that these passwords are for different things and can be different. Having a blank password on your keys is a bad idea, especially if you use NFS. I don’t know of a way to get the login program to pass a password onto ssh-agent (without a lot of hacking).
What’s the relationship between my login password and my ssh keys?
None. Your encrypted keys are stored separately from the hash of your login password; nothing forces your key and login passwords to be the same. If your account is compromised you need to change your password and your ssh keys. If you only change your password, your old ssh keys will still allow access to your account (and vice versa).