Using ssh without Annoying Password Queries


Overview of ssh

Ssh sets up a secure connection for logging into a remote machine and for executing commands in a remote machine. The ssh server (sshd) is on the remote machine, and the ssh client (ssh) is on the local machine. There are basically 5 ways to for the client to interact with the server:

The first is in general disabled (this is the case on lesser-magoo). The second one is not disabled on lesser-magoo, but I was not able to make it work. The third works fine, and I will present it in more detail below. I did't try the fourth one. The fifth one is the default: if everything else fails, the client (ssh) asks the user for the password, and then sends the encrypted password to the remote machine for checking.


Overview of the RSA challenge-response ssh mode

Here is how the RSA challenge-response works. This method is based on the RSA public-key scheme. First the user has to do the following initialization. He has to generate on the local machine a pair (Kpublic, Kprivate) of a public and a private key. The user is asked for a passphrase for building the pair of keys. The passphrase is used to encrypt the private key before storing it on the local machine. The passphrase need not be the same as the user password. Then the user has to move the public key to the remote machine.

With the passphrase and the public/private keys set up, the client-server interation works as follows. The server sends the client a challenge, which is a random number encrypted with the public key from the remote machine. The client decrypts it with the private key from the local machine and sends the answer back to the server. The server trusts now the client and accepts the connection.

However, for the client to obtain the private key, it has to decrypt the encrypted private key using the passphrase. In other words, you have to type the passphrase for every secure connection to the remote machine. A more convenient way is to use the authentification agent, a daemon that will ask for the passphrase just once, and then will use it automatically for every subsequent connection, so that the user won't have to type the passphrase as long as the agent is active.


How to use RSA challenge-response ssh mode with an agent

This allows to run commands on the remote machine (e.g. cvs, file copy, etc) without typing the password every time. There are two main steps: setting the RSA keys on the machines and then actually using the RSA authentication mode with an authentication agent.

Step 1: Set RSA keys on the machines

Step 2: Actual use of the the RSA challenge-response mode with an agent

Now that the public and private keys are created and placed in the appropriate files, you just need an authentication agent to help you not type the passphrase for every remote connection. To do this you first have to set up an authentication agent and tell it your identity, then comfortably run comands on the remote machine (without spending precious time with typing passwords/phrases), and finally kill the agent when you are done with playing on the remote machine.


Automatically setting up / killing the agent

This section shows how to perform step 2 from the previous section automatically, that is to set up / kill the agent automatically. There are two ways for doing this:

Method 1: Set the agent and kill the agent by making sure you have the following lines in the .Xclients file:

You will be asked for your passphrase every time you start X.

Method 2. Set up the agent using a simple script set-agent, and kill the agent using another script kill-agent. You have to source these file to have them work:

In the interval between running these commands, the agent-creation shell and its children will benefit from services from the agent (i.e. you won't have to type your password/phrase on remote connections). Probably an even more convenient way is to set the agent in .login and kill the agent in .logout.