Using ssh without Annoying Password Queries
Overview of ssh
Ssh sets up a secure connection for logging into a remote machine and for executing commands in a remote machine. The ssh server (sshd) is on the remote machine, and the ssh client (ssh) is on the local machine. There are basically 5 ways to for the client to interact with the server:
1. .rhosts authentication
2. .rhosts authentication combined with RSA host authentication
3. RSA challenge-response authentication,
4. TIS channenge-response authentication,
5. password based authentication.
The first is in general disabled (this is the case on lesser-magoo). The second one is not disabled on lesser-magoo, but I was not able to make it work. The third works fine, and I will present it in more detail below. I did't try the fourth one. The fifth one is the default: if everything else fails, the client (ssh) asks the user for the password, and then sends the encrypted password to the remote machine for checking.
Overview of the RSA challenge-response ssh mode
Here is how the RSA challenge-response works. This method is based on the RSA public-key scheme. First the user has to do the following initialization. He has to generate on the local machine a pair (Kpublic, Kprivate) of a public and a private key. The user is asked for a passphrase for building the pair of keys. The passphrase is used to encrypt the private key before storing it on the local machine. The passphrase need not be the same as the user password. Then the user has to move the public key to the remote machine.
With the passphrase and the public/private keys set up, the client-server interation works as follows. The server sends the client a challenge, which is a random number encrypted with the public key from the remote machine. The client decrypts it with the private key from the local machine and sends the answer back to the server. The server trusts now the client and accepts the connection.
However, for the client to obtain the private key, it has to decrypt the encrypted private key using the passphrase. In other words, you have to type the passphrase for every secure connection to the remote machine. A more convenient way is to use the authentification agent, a daemon that will ask for the passphrase just once, and then will use it automatically for every subsequent connection, so that the user won't have to type the passphrase as long as the agent is active.
How to use RSA challenge-response ssh mode with an agent
This allows to run commands on the remote machine (e.g. cvs, file copy, etc) without typing the password every time. There are two main steps: setting the RSA keys on the machines and then actually using the RSA authentication mode with an authentication agent.
Step 1: Set RSA keys on the machines
Step 1.1. Build the public/private keys on the local machine using a passphrase:
Command: ssh-keygen -f ~/.ssh/identity -N <passphrase>
Effects: it will generate two files: the public key ~/.ssh/identity.pub, and the encrypted private key: ~/.ssh/identity. The private key is encrypted using the passphrase.
Step 1.2. Copy the public key from the local machine to ~/.ssh/authorized_keys on the remote machine:
Command: scp ~/.ssh/identity.pub lm:~/.ssh/authorized_keys
Note: at this time you will be asked for a password since the RSA authentication mode is not set up yet.
Step 1.3. Make sure that both the directory .ssh and the file .ssh/authorized_keys on the remote machine don't have write permissions for "group" and "other". You can disable the group/other write permissions using:
Command: chmod og-w ~/.ssh ~/.ssh/authorized_keys
Note: If you do have write permissions for either the .ssh directory or for the authorized_keys file on the remote machine, then sshd will consider that the procedure is not safe enough, so it will abort the RSA challenge-authentication mode (mode 3) and will go to the default mode (mode 5) asking you for the password on the remote machine.
Step 2: Actual use of the the RSA challenge-response mode with an agent
Now that the public and private keys are created and placed in the appropriate files, you just need an authentication agent to help you not type the passphrase for every remote connection. To do this you first have to set up an authentication agent and tell it your identity, then comfortably run comands on the remote machine (without spending precious time with typing passwords/phrases), and finally kill the agent when you are done with playing on the remote machine.
Step 3.1. Set the authentication agent and tell the agent your identity
Step 2.1.1. start the authentication agent on the local machine with the ssh-agent command:
Command: eval `ssh-agent`
Step 2.1.2. add your identity to the agent:
Note: it will ask for your passphrase, and it will make the agent remember it for any subsequent connection to the remote ssh server. Also all the children shells of the agent-creation shell will benefit from agent services as well, but the parent shells will not.
If you are not sure if the agent is started or if your identity is added to the agent, just type: "ssh-add -l". It lists all the identities (public keys) that are currently added to the agent. If the agent is not started, or if it is started but it has no identities added, then the above command will give appropriate error messages.
Step 3.2. Being productive - no more passwords.
Now everything is set up, and from now on you don't have to type the passphrase or the password as long as the agent is alive and knows your identity. Just try some random commands to convince yourself that you no longer need to type passwords/phrases:
cd ~/Harpoon/Code; cvs update
scp lm:~/Harpoon/Code/Main/Main.java ~/itworks!; rm ~/itworks!
Step 3.3. Get rid of the agent:
Step 3.3.1. remove your identity from the agent:
Command: ssh-add -d
Step 3.3.2. kill the agent:
Command: eval `ssh-agent -k`
Automatically setting up / killing the agent
This section shows how to perform step 2 from the previous section automatically, that is to set up / kill the agent automatically. There are two ways for doing this:
Method 1: Set the agent and kill the agent by making sure you have the following lines in the .Xclients file:
/etc/X11/xinit/Xclients #or your specific path
eval `ssh-agent -k`
You will be asked for your passphrase every time you start X.
Method 2. Set up the agent using a simple script set-agent, and kill the agent using another script kill-agent. You have to source these file to have them work:
- run "source set-agent" to set up the
- run "source kill-agent" to kill the authentication agent.
In the interval between running these commands, the agent-creation shell and its children will benefit from services from the agent (i.e. you won't have to type your password/phrase on remote connections). Probably an even more convenient way is to set the agent in .login and kill the agent in .logout.