Skip to content

ssh/ssh2 no-password authentication

A great little guide to setting up two accounts so that you don’t have to type in your password when sshing between them. btw, OS X uses OpenSSH. I don’t know what it is for other platforms.

http://bumblebee.lcs.mit.edu/ssh2

Update: the page seems to be down, but archive.org had it. hooray:

Basic Idea

No-password authentication works because of public key crypto. Let’s say you have a local machine Ooga and a remote machine Booga. You want to be able to ssh from Ooga to Booga without having to enter your password. First you generate a public/private RSA key pair on Ooga. Then you send your public key to Booga, so that Booga knows that Ooga’s key belongs to a list of authorized keys. Then when you try to ssh fromOoga to Booga, RSA authentication is performed automagically.

Here are detailed steps on how to do this.

NOTE: The following examples and scenarios assume you are creating only a single key, e.g. one RSA key or one DSA key. If it turns out that you’ve created both keys on your (client) system, then you will need to send both of them to the SSH/SSH2 server; otherwise, you may still be asked to enter a passphrase. Thanks to Steve McCarthy for pointing this out.

ssh1

If you’re using ssh1, then do this:

ooga% ssh-keygen -f ~/.ssh/identity

This will generate a public/private rsa1 key pair. When it asks you to enter your passphrase, just hit return (i.e. leave it empty). Now you need to send your public key to the remote server.

ooga% cd .ssh
ooga% scp identity.pub user@booga:~/.ssh

Now you need to log into Booga and add Ooga’s public key to Booga’s list of authorized keys.

ooga% ssh user@booga
booga% cd .ssh
booga% cat identity.pub >> authorized_keys
booga% chmod 640 authorized_keys
booga% rm -f identity.pub

That’s it! You can now ssh from Ooga to Booga without entering your password.

ssh2

It’s harder for ssh2. There are two common implementations of ssh2: OpenSSH and SSH2. Let’s say we want to ssh from Ooga to Booga. If Ooga and Booga both run the same implementation then it’s easy. Otherwise, we need to do some extra work to make them talk to each other properly.

My particular situation is that my local machine is running Windows 2000 with the Cygwin tools and OpenSSH 3.2.x. The remote machines may either have OpenSSH or SSH2. I’ll cover these two cases below.

ssh2: Ooga = OpenSSH, Booga = OpenSSH

First, generate a public/private DSA key pair on Ooga.

ooga% ssh-keygen -t dsa -f ~/.ssh/id_dsa

When you are asked for a passphrase, leave it empty. Now send the public key to Booga.

ooga% cd .ssh
ooga% scp id_dsa.pub user@booga:~/.ssh

Next, log in to Booga and add the public key to the list of authorized keys.

ooga% ssh user@booga
booga% cd .ssh
booga% cat id_dsa.pub >> authorized_keys2
booga% chmod 640 authorized_keys2
booga% rm -f id_dsa.pub

Note that the filename is authorized_keys2, not authorized_keys. That’s it; you’re ready to ssh from Ooga to Booga without having to enter a password.

ssh2: Ooga = OpenSSH, Booga = SSH2

First, generate a public/private DSA key pair on Ooga.

ooga% ssh-keygen -t dsa -f ~/.ssh/id_dsa

When you are asked for a passphrase, leave it empty. This key is stored in a format that OpenSSH can use, but SSH2 cannot. You need to export the key to a format that SSH2 understands.

ooga% ssh-keygen -e -f .ssh/id_dsa.pub > id_dsa_ssh2_ooga.pub

Note: the exact flags you need to specify may differ in your case. Check the man pages if the line above doesn’t work. Now send the exported public key to Booga.

ooga% scp id_dsa_ssh2_ooga.pub user@booga:~/.ssh2/

Note: the target directory is .ssh2, not .ssh. Next, log in to Booga and add the public key to the list of authorized keys.

ooga% ssh user@booga
booga% cd .ssh2
booga% cat >> authorization  key id_dsa_ssh2_ooga.pub
booga% chmod 640 authorization

For SSH2, there is an authorization file in which you list the file names of the authorized public keys. Note that this step is different than the case in which Booga is running OpenSSH.

Now you are ready to ssh from Ooga to Booga without having to enter a password.

Share

Posted in general.

Tagged with , .

7 comments

By John June 25, 2004

7 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. shaun says

    Thanks for the clear and simple tutorial/explanation. I’ve read other attempts that fumbled with varying rsa implementations but they never worked out of the box. This solution did!

    November 3, 2006, 2:12 am
  2. Steve says

    I’m trying to ssh, without passwords, from a Solaris 9 server running Solaris SSH2 to an AIX box running Openssh (SSH2). Do you have a procedure for this traffic direction?

    Thanks

    Steve

    August 8, 2007, 2:50 pm
  3. Charles Stepp says

    Good Lord, you’d think there’d be more of this desciption of the vargaries of .ssh vs. .ssh2 stuff. Thank you VERY much!!

    April 3, 2008, 11:32 am
  4. Dmitry Karalov says

    I’m still asked for password. Having ssh2 on both sides

    January 15, 2009, 5:16 pm
  5. Chris says

    Easter Island is nice but I miss the ostrich; and though by now I’ve memorized the steps for the most part, I’ve also lost count of how many times I’ve referred to this excellent tutorial. Thank you kindly!

    March 19, 2009, 1:54 am
  6. John says

    Glad you appreciate it Chris.

    I changed my theme again — let me know what you think :)

    May 10, 2009, 2:31 am
  7. Achilleas says

    Hey,
    First I wanted to say thanks for the tutorial.
    Second I wanted to point out a small mistake for the case:
    ssh2: Ooga = OpenSSH, Booga = SSH2
    the command should be
    booga% echo >> authorization ‘key id_dsa_ssh2_ooga.pub’
    versus the current
    booga% cat >> authorization key id_dsa_ssh2_ooga.pub

    -A

    June 19, 2009, 8:44 am



Some HTML is OK

or, reply to this post via trackback.

« »
Close