Setting up passwordless SSH logins
sshpasswordlesssecuritylinux2016-06-01 - carpie

If you access remote machines through SSH a lot, it gets to be a real pain to type in your password over and over. Fortunately, we can easily eliminate the need to keep typing those passwords and increase the security of SSH login process at the same time!

SSH keys

The key (see what I did there?) to eliminating the need to constantly re-type your password is using SSH keys to log in. When you generate an SSH key, you are creating a public/private key pair. The private side, you need to physically protect. The public side is, well, public. Anyone can know it. For our use case, the remote host we are trying to log in to needs to know it. So the procedure goes like this. We tell the remote host about our public key. When we log in with SSH, the remote host challenges our client using a challenge encrypted with the public key(s). If our client can decrypt that challenge successfully, it is allowed access to the server. This means our password is never transmitted to the server, so there is no chance of it being sniffed. Furthermore, you could take the extra step of turning off password authentication on the server (e.g. allowing only keys) and stop brute-force password guessing attacks against the server. And best of all, we extend the life of our fingers by saving those password key strokes ;)

Generating a key pair

Before we make that key pair, we need to make sure we have a place to store it. The canonical place to store ssh keys is ~/.ssh, so make sure that exists and only you have read access. If not, do:

mkdir ~/.ssh
chmod 700 ~/.ssh

Now we can now generate our key pair (on the machine we want to log in from). The session will look something like:

cd ~/.ssh
ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <your passphrase - not shown>
Enter same passphrase again: <your passphrase again - not shown>
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
e1:a8:bd:e6:5c:7b:d1:93:a1:a6:78:a4:a3:4d:b1:25 user@example
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|        .        |
|       o .  .    |
|      E S  o o   |
|     o =. + +    |
|    . ++.o . .   |
|     +=oo..      |
|    .+=o..       |
+-----------------+

You can use the defaults and a passphrase of your choosing. Passphrase? What? You said passwordless logins?!? Ok, ok, calm down. Before you go off ranting about misleading headlines, the log in to the server is passwordless. Your private key still needs a passphrase. Here's why. While you could truly make the keys above without a passphrase, that would mean, if anyone ever got to your private key, they would have unlimited log in access to any server that authenticates you with the public key! With a passphrase, even if they stole your private key, they would still have to crack your passphrase to get access to your remote machines. At the very least that would buy you time to reverse this process and create new keys. Don't worry, in most cases you'll only need to type that passphrase in once per client session. We will revisit this later...

So now you should have two new keys in your ~/.ssh folder, id_rsa and id_rsa.pub. id_rsa.pub is your public key. id_rsa is your passphrase-protected private key.

Configure remote machine to accept our key

All you have to do to use this key instead of a username/password is append a copy of the public key's contents in the remote host's ~/.ssh/authorized_keys file. That's pretty easy, but there's an even easier way to do the same thing. From your local machine:

ssh-copy-id -i ~/.ssh/id_rsa remote_machine

This will allow you to log in with a username and password to a machine named remote_machine (you can also use an IP instead of a host name) and it will automatically append the public key to the remote machine's authorized_keys file, creating it if necessary.

The remote machine should now allow you to log in. You will have to use the passphrase of your public key to log in however. Try it:

ssh remote_machine

About that passphrase

The purpose of setting all this up was to keep from having to type passwords to connect. It seems we've traded one password for another. Well, we have, but there are other utilities that come to our rescue. If you are running a desktop environment on your local machine (such as GNOME, KDE, Cinnamon, etc), it will mostly like be using a "key ring" that is opened when you log in and caches your passwords. This means you should only have to type your passphrase once. After that, it will be stored in your key ring and you will not have to type it again. (This assumes, of course, that you say "yes" if your DE asks you if you want to save the password.) For graphical environments, this just works.

Passphrase caching on non-graphical machines

If you are in the situation of performing your ssh sessions from a server, or other non-graphical desktop environments, there is an SSH utility called ssh-agent that you can use to cache your passphrase. Here's how it works. Run this once (enter your passphrase when prompted):

eval `ssh-agent -s`
ssh add

If you get an error, make sure you type the back ticks in the command above. After this you can ssh to remote machines who have your public key in their authorized_keys file.

ssh remote_machine

You should not have to type your passphrase again until you exit the shell you started the agent in. The first set of commands will have to be repeated every time you log in however.

Summary

In this article, we learned how to use public/private keys to log in to remote machines through SSH. We discussed reasons we may want to do this. We learned to make use of our graphical desktop environment's key rings to save us from having to type the passphrases to our keys too many times. We also discussed a means to cache our passphrases on non-graphical systems. We are going save some keystrokes and in time, our fingers will thank us!