Passwordless SSH

This information is from the manpages for ssh, ssh-keygen and ssh-agent.

If you generated keys using Debian and Ubuntu systems issued between 2006-09-17 and June 2008 then regenerate your keys! More information.

Here’s how to configure ssh to connect to any cluster machine without a password:

        ssh-keygen -t rsa
        # accept the default filename and choose a password
        cat ~/.ssh/ >> ~/.ssh/authorized_keys
        # [Also copy authorized_keys to ~/.ssh on machines that don't mount the same home directory]
        chmod go-rwx ~/.ssh/*
        # enter the password you chose before

It is possible to use a blank password, which is convenient. However, you shouldn’t. Assuming you do set a password you will need to run

ssh-add < /dev/null

at X startup. The method for starting applications automatically depends on the system. I don’t use the Gnome or KDE desktops, but I’m told you need to do the following:

Gnome: Click on System, choose Preferences, choose Sessions, select the Startup Programs tab, click on Add, and enter "ssh-add" as a command.

KDE: ln -s /usr/bin/ssh-add .kde/Autostart


It doesn’t work

ssh is very fussy about file permissions. Try the following:
chmod go-rwx ~/.ssh/*

For ssh-add to work, ssh-agent needs to be set up and running. But on at least Debian/Ubuntu systems, that part is sorted out by default.

Otherwise, I’m not sure. Remember that “ssh -vvv” gives very verbose debugging information (use fewer v’s for less).

I’ve ssh’d computer A, now I must retype my password to ssh computer B from that!?

To use your local key to authenticate through a chain of computers, use the -A option to ssh. This option forwards a connection to your ssh-agent.

Now I have to type in my password twice?

On logging on you now have to type your login password and a password to unlock your keys to ssh-agent. Note that these passwords are for different things and can be different. Having a blank password on your keys is a bad idea, especially if you use NFS. I don’t know of a way to get the login program to pass a password onto ssh-agent (without a lot of hacking).

What’s the relationship between my login password and my ssh keys?

None. Your encrypted keys are stored separately from the hash of your login password; nothing forces your key and login passwords to be the same. If your account is compromised you need to change your password and your ssh keys. If you only change your password, your old ssh keys will still allow access to your account (and vice versa).