Monday, January 4, 2010

Linux: secure login without entering password (Part 2)

If you have supplied a passphrase when you generated your pair of private and public keys (see Part 1 for how to generate the keys), you would need to enter the passphrase each time you ssh login to the remote machine. If you think that is painful, you need the program ssh-agent. It can hold the private key and help to authenticate without asking for the passphrase every time.

Case 1
If you are using a GUI desktop, ssh-agent is usually started up for you. You just need to run
to add your private key to it. ssh-add would ask you to input the passphrase for your private key. You just need to input the passphrase once here. After that, you can ssh to the remote machine without inputting the passphrase.

If you get an error message from running ssh-add:
        Could not open a connection to your authentication agent.
you have to start ssh-agent manually as in Case 2 below.

Case 2
If you are using a console, you need to manually start ssh-agent. If you are using bash/ksh/sh, run
        eval `ssh-agent -s`
or if you are using csh, run
        eval `ssh-agent -c`
Please note that you should use backquote(`) in the command, not a single quotation mark(').

Then you can run ssh-add on the same terminal to add your private key. On this terminal, you can then ssh to the remote machine without entering the passphrase.

When you run ssh on another terminal, you would still be asked for the passphrase. That is because environmental variables SSH_AUTH_SOCK and SSH_AGENT_PID were set on that terminal when we started ssh-agent, and any other terminals do not know these environmental variables. However, any new terminals opened from the same terminal which we started ssh-agent will inherit the environmental variables, so we could ssh from them to the remote machine without entering the passphrase.

No comments:

Get This <