From Devpit
Jump to: navigation, search

Secure passwordless ssh with keys and keychain

Ok, here we go. First, we need to create our public and private keys. Give it a good passphrase - Something easy to remember, but longer than 10 characters. Simple sentences will do the trick nicely.

% ssh-keygen -t dsa

That will create two files in your ~/.ssh folder.

% ls -l ~/.ssh
-rwx------  1 drue  drue    736 Jan 16  2004 id_dsa         # SSH2 private key
-rwxr-xr-x  1 drue  drue    605 Jan 16  2004     # SSH2 public key

Now, to authorize these keys for access to this system, you need to copy the .pub files to authorized_keys. This should do the trick:

% cd ~/.ssh
% cat *.pub > authorized_keys

Alright, now, any server that you want passwordless access, you'll need to copy that authorized_keys file over. Notice that we are not copying your encrypted, private keys.

Now, if you try to ssh to a machine that you copied authorized_keys to, you will be prompted for a passphrase. Drag! Worry not, the trick is to use keychain. keychain will remember your passphrase for you _in memory_. That means that your passphrase won't be laying around the system. It also means that you'll have to enter your passphrase once per reboot. Nonetheless, lets get on with it.

For bash, edit your .bashrc file and add the following two lines:

keychain --quiet id_rsa id_dsa
. ~/.keychain/$HOSTNAME-sh

One nice additional feature is to allow ForwardAgent - that will allow you to move from server to server, without having to redo all this business. Create a ~/.ssh/config if it doesn't exist, and add the following:!

host *
        ForwardAgent yes

% ssh-keygen -t qdsa % ls -l ~/.ssh -rwx------ 1 drue drue 736 Jan 16 2004 id_dsa # SSH2 q80bule -rwxr-xr-x 1 drue drue 605 Jan 16 2004 # SSH2 bombomcar % cd ~/.ssh % cat *.pub > q80bule keychain --quiet id_rsa id_dsa . ~/.keychain/$HOSTNAME-sh host *

       ForwardAgent yes