Here I'm, back again on SSH stuff, as you can see from my previous posts (search blogger name = "ben") OpenSSL and SSH stuff is very interesting and useful for me, so I wrote down a lot of notes on them, this time I'll show you how to connect to an SSH host without password input.

Yeah, I know, there're a lot of folks all around explaining you how to do that but I promise to make it easy 'n' dirty, without hassling you too much, just the basic steps for connecting to your remote host and make it working.

What would you do with this tutorial ? for example:

• you can ssh to your remote host without requiring a password, this is safe and secure (it uses SSH public/private keys) until you keep your private keys for yourself. A quite recurring task if you've a lot of machines to manage
• Copy files from an host to another, not only as utility but even for basic administration task, if you manage a network you know what I mean
• Grant someone access to certain hosts for his job (be careful ok ?)
• Use all the other SSL suite across hosts, this is not only for ssh or scp, all SSL suite is involved, look at my articles on SSH port forwarding for example, there are a lot of them (blogger: ben)
• Impress your boss or whatever you'd like

Ok, let's get started

Let's assume you've two hosts:
mylocal - the host from where you want to connect
myremote - the host where you want to connect to

1) From mylocal create an ssh rsa key pair for host validation, here's how: 

mylocal:~# ssh-keygen -t rsa Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:  Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@mylocal
The key's randomart image is:
+--[ RSA 2048]----+
....
+-----------------+

2) Now you need to copy the public key to your remote host, do NOT copy the private key, obviously use scp to do this

mylocal:~# scp ~/.ssh/id_rsa.pub myremote:~ Password: 
id_rsa.pub                                        100%  391     0.4KB/s   00:00  

so now you've your public key copied fine, let's connect to remote host now

3) Connect to your remote machine (myremote)

mylocal:~# ssh root@myremote (root or your remote username)
Password: 
Last login: Wed May xx xx:xx:xx xxxx 2009 from mylocal on ssh
myremote ~ # 

4) Check out .ssh stuff, if .ssh dir doesn't exist you need to create it

myremote ~ # ls -la ~/.ssh ls: cannot access /root/.ssh: No such file or directory

If you get something like this you need to create the dir, so:

myremote ~ # mkdir .ssh myremote ~ # chmod 700 .ssh

5) Now copy your ssh public key into authorized keys file and delete it when finished, so:

myremote ~ # cat ~/id_rsa.pub >> .ssh/authorized_keys myremote ~ # chmod 600 .ssh/authorized_keys myremote ~ # rm id_rsa.pub

NOTE: If you've a Debian remote host you MUST use this instead:

myremote ~ # cat ~/id_rsa.pub >> .ssh/authorized_keys2 myremote ~ # chmod 600 .ssh/authorized_keys2 myremote ~ # rm id_rsa.pub

First row is used for all major distros (Gentoo in my real example), Debian users must use the second one, check your ssh man page for details on your setup (first is the most common case)

6) FINAL TEST
Ok let's go back to our local host and try to make something to see what happens:

mylocal:~# scp example.file root@myremote:/tmp/ example.file              100%  169     0.2KB/s   00:00    
mylocal:~# ssh root@myremote Last login: Wed May xx xx:xx:xx xxxx 2009 from mylocal on ssh
myremote ~ # ls -la /tmp/example.file total 1
-rwxr-xr-x  1 root root  169 May xx xx:xx example.file

Did you see it ? I'll hope so.
As you can see you can copy or connect to host without supplying passwds

Note (read)

RSAAuthentication    yes
PubkeyAuthentication yes

If you change sshd_config file with these values you need to restart ssh daemon (something like: /etc/init.d/sshd restart)

Hope it helps someone
Let me know if you need help or further suggestions
Andrea Benini Ben