Configuring Passwordless Login on Linux

On Linux, passwordless login lets you login, without giving your password, to a remote workstation or server using Secure Shell (SSH). Instead of passwords, passwordless login uses public key authentication where you set up a public and private key pair and place your public key on the remote system. This Note tells you how to create your key pair, where to put your public key and how to use an SSH agent to run the authentication. Passwordless login is useful if you want to log in and run commands on several of the School’s Linux machines, and it’s essential if you want to use MPI.

Synopsis

For passwordless login to a Linux system you need:

  • A public key and a private key. On Linux, these are in files id_rsa and id_rsa.pub in sub-directory ~/.ssh.
  • On the remote host (the one where you want to log in), an authorized_keys file, also in directory ~/.ssh that contains a copy of the public key.

So the private key file is on your local system and the public key is in authorized_keys on the remote system. But remember, if you are setting up passwordless login between Linux machines in the School, your filespace is shared between all the machines so id_rsa, id_rsa.pub and authorized_keys are all in the same ~/.ssh directory.

1. Create your key pair.

First create the keys we will use for passwordless login. The keys require a passphrase that you will need to remember. To create your keys type the following into a termial window.

ssh-keygen -t rsa -b 4096

Think of a passphrase and type it in when prompted.

ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cxxxxx/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cxxxxx/.ssh/id_rsa.
Your public key has been saved in /home/cxxxxx/.ssh/id_rsa.pub.
The key fingerprint is:
0b:b9:df:bb:c7:be:6c:a4:66:58:d4:8a:4c:01:c0:5d cxxxxx@lapis
The key's randomart image is:
+--[ RSA 4096]----+
| ..o.oE |
| . . . |
| . . |
| .. . . |
| ooSo . |
| oo.o . |
| . .o + |
| ...+.+ |
| .o+*+. |
+-----------------+

2. Add public key to authorized keys.

To be able to login to a remote system using passwordless login your public key must be in your authorized_keys file on that system. Copy the id_rsa.pub file to the remote system. Then on the remote system type the following command to append your public key to the authorized_keys file.

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

You can do this on your local system if the local and remote systems both access the same home directory. This is the case for Linux systems in our lab.

3. Check SSH Agent

To check if an SSH agent is currently running we can type the following command:

echo $SSH_AGENT_PID

If the SSH agent is running output similar to below will be displayed.

echo $SSH_AGENT_PID
6568

4. Start SSH Agent.

If a SSH agent is not currently running you can start one by typing the following command:

eval $(ssh-agent -s)

You will see output similar to that below upon successful execution.

eval $(ssh-agent -s)
Agent pid 6568

5. Add your private key to the agent.

To add your private key identity to the SSH agent type the following command into a terminal. You will be prompted to enter the passphrase you set in step 1.

ssh-add

If everything has worked correctly you should see something similar to the following.

ssh-add
Enter passphrase for /home/cxxxxx/.ssh/id_rsa:
Identity added: /home/cxxxxx/.ssh/id_rsa (/home/cxxxxx/.ssh/id_rsa)

Now you can log in to another workstation using ssh without having to type your password.

Secure Shell (SSH) allows login authentication with public key cryptography using asymmetric key algorithms. Your public key, which you can make widely available, can encrypt a message which can be decrypted only by your private key.

The Secure Shell server on the remote system expects your public key to be in directory ~/.ssh (i.e. .ssh in your remote home directory). It looks for the key in the authorized_keys file.

The secure shell terminal client on your local system looks in local directory ~/.ssh for the private key in file id_rsa. The private key is normally protected by a passphrase and the authentication agent, such as ssh-agent, uses the phrase to unlock the key.

Secure Shell Terminal Client

Secure Shell (SSH) can be used to login remotely from one Linux workstation or server in the School to another. The terminal command ssh is used to make the connection. The format of the command is:

ssh -l username remote-host-name

If you are trying to log yourself into a lab machine, or lapis, from within the School, your username is the same on the local and remote machines. So you can omit the -l username argument.

The first time that your Secure Shell command connects to a remote machine, it prompts you to accept the RSA finger- print of the host. We accept the fingerprint by typing yes.

ssh -l cxxxxx labx01
The authenticity of host 'labx01 (10.72.2.74)' can't be established.
ECDSA key fingerprint is e1:3e:dc:44:d2:70:cb:53:78:e8:e7:53:ea:b7:0d:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'labx01,10.72.2.74' (ECDSA) to the list of known hosts.
cxxxxx@labx01's password:

The fingerprint is stored and you’ll get a warning if it ever changes unexpectedly. (It should change only if the workstation or server is reinstalled).

Once you’ve accepted the fingerprint, Secure Shell prompts for your password.

Passwordless Login

Passwordless login uses public key authentication instead of your login password. You need to set up a public and private key pair and place the public key on the remote system.

Creating the Key Pair

Use the ssh-keygen command to create the public and private keys. We can tell ssh-keygen which encryption algorithm we want to use along with how many bits our key shoudl use. The command creates a private key in file ~/.ssh/id_rsa and a public key file in ~/.ssh/id_rsa.pub.

To create a 4096 bit RSA key type the following command into a terminal window.

ssh-keygen -t rsa -b 4096

ssh-keygen asks you to type a passphrase that is used to generate the key pair. The passphrase can contain words, spaces, punctuation or any arbitrary string of characters. A phrase between 10 and 30 characters is recommended, and it shouldn’t be a simple English sentence. You will need to remember the passphrase. A successful execution of the ssh-keygen command should look similar to the following.

ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cxxxxx/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cxxxxx/.ssh/id_rsa.
Your public key has been saved in /home/cxxxxx/.ssh/id_rsa.pub.
The key fingerprint is:
0b:b9:df:bb:c7:be:6c:a4:66:58:d4:8a:4c:01:c0:5d cxxxxx@lapis
The key's randomart image is:
+--[ RSA 4096]----+
| ..o.oE |
| . . . |
| . . |
| .. . . |
| ooSo . |
| oo.o . |
| . .o + |
| ...+.+ |
| .o+*+. |
+-----------------+

If you look in your .ssh directory, you will see the two files created by ssh-keygen, and a file known_hosts whch contains the fingerprints of every host you have visited.

ls -l ~/.ssh
total 12
-rw------- 1 cxxxxx cxxxxx 3326 Jun 24 20:44 id_rsa
-rw-r--r-- 1 cxxxxx cxxxxx 738 Jun 24 20:44 id_rsa.pub
-rw-r--r-- 1 cxxxxx cxxxxx 444 Jun 24 21:02 known_hosts

The private key file id_rsa should be readable only by you. If the file permission for id_rsa do not match the above then run the following command.

chmod 600 ~/.ssh/id_rsa

Authorized Keys File

To enable public key authentication, the remote host, the one you want to log into, needs to have a copy of your public key file. The Secure Shell server on the remote host will look for the public key in your account there. It looks for it in a file called ~/.ssh/authorized_keys.

This is very simple to set up on the Linux systems in the School. The Linux Lab systems and lapis share your home directory (for example, when you log in to any workstation, you see the same files). So all you need to do is append the public key file id_rsa.pub to a file called authorized_keys in the same directory.

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Now if you list the .ssh directory, you will see four files.

ls -l .ssh/
total 16
-rw-r--r-- 1 cxxxxx cxxxxx 3326 Jun 24 21:27 authorized_keys
-rw------- 1 cxxxxx cxxxxx 3326 Jun 24 20:44 id_rsa
-rw-r--r-- 1 cxxxxx cxxxxx 738 Jun 24 20:44 id_rsa.pub
-rw-r--r-- 1 cxxxxx cxxxxx 444 Jun 24 21:02 known_hosts

Once the authorized_keys file is in place, any attempt to login will result in a prompt for your passphrase.

ssh labx01
Enter passphrase for key ’/home/cxxxxx/.ssh/id_rsa’:

If you type the passphrase that you used to create the public/private key pair, then you will log in.

This isn’t particularly useful. In order to log in without having to type either your password or passphrase each time, you need to run an authentication agent.

SSH Agent

The program ssh-agent is an application which holds private keys for public/private key authentication used by ssh. When ssh-agent runs, it places its process identity number in an environment variable. When you use a workstation desktop, the ssh-agent is run by the login procedure and all applications on the desktop inherit the environment values and can connect to the agent.

If you have not logged in to a desktop, you will need to run the agent yourself. When you execute ssh-agent it outputs the Shell environment variable settings which allow ssh to locate the agent.

The program has to run in an unusual way so that the environment variables are set in the currently running Shell.

eval $(ssh-agent -s)

In this command, the $(command) means that the environment variable settings become part of the eval command line. The eval command then includes the settings in the current shell.

Once the agent is running, you add your private key to it with the ssh-add command.

Type your passphrase when prompted.

Now the ssh command will connect without prompting for your password or passphrase.

ssh labx01
Linux labx01 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:39:17 UTC 2011 x86_64 GNUUbuntu 10.04.3 LTS
...