The ONL NPR Tutorial

NPR Tutorial >> Summary Information

TOC

Password-Free SSH

This page explains how to avoid having to type in your password every time you connect to a host using SSH. If you want more information, do a Google search for "password-free SSH" or "password-less SSH". The ONL hosts use Open SSH. This fact is important because it determines how to generate your identity keys. In fact, if your client is running Open SSH already, the setup is close to trivial. Note that both the Open SSH keygen command and the PuTTY key generator can convert a key to Open SSH key format.

In short, this is what you have to do:

• Create your identity on your client
Your identity is a private/public key pair. You will use a command (e.g., ssh-keygen) or a tool (e.g., PuTTYgen) to generate the key pair.
• Copy your public key to the ONL user host
The ONL server is the remote host to which you want to connect. When you attempt to connect to that host, it will tell your client to prove that it has the matching private key. It does this by sending an a message encrypted with the public key (that it knows). Your client uses its corresponding private key to decrypt the encrypted message and responds to the remote host with the decrypted message. The remote host accepts the connection if the reply message matches the original message.
• Start your SSH agent
The agent is a daemon process that caches private keys and listens for requests from SSH clients needing a private key related computation. In many Unix systems, the SSH agent is automatically started for you before you login or as you login.
• Add your private key to your SSH agent's cache
This is done by the ssh-add command or through PuTTY's Pageant by selecting "Add Key". This is only done once after you start the SSH agent. The process will ask you for your passphrase which is used to decrypt the private key which is then held in main memory by the agent.

	ssh -version			# Is it some version of Open SSH?
	which ssh-agent			# Is there an SSH agent executable?
	which ssh-add			# Is there a program for adding
					#   keys to the agent?
	printenv | grep SSH_AGENT_PID	# SSH agent already running?

1. Open SSH client
2. PuTTY client
3. Non-Open SSH client
4. Commercial but free for educational use SSH client

1. Create your identity on your client

	mkdir ~/.ssh		# only if you don't already have this dir
	cd ~/.ssh
	ssh-keygen -t dsa	# create ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub
  	

ssh-keygen will ask you for a passphrase to protect your private key. Choose something that is 10 or more characters containing a mix of upper and lower case letters, digits and punctuation that is not too hard to remember (e.g., a sentence with punctuation).
2. Copy your public key to the ONL user host

	scp ~/.ssh/id_dsa.pub YOUR_LOGIN@onl.arl.wustl.edu:pubkey.txt
	ssh YOUR_LOGIN@onl.arl.wustl.edu
				# onl user host will prompt for a password
	mkdir ~/.ssh		# only if you don't already have this dir
	chmod 700 .ssh		# only you should be able to rwx this dir
	cat pubkey.txt >> ~/.ssh/authorized_keys	# add public key
	rm pubkey.txt		# cleanup
	

Replace YOUR_LOGIN with your login name. Make sure that you are copying the public key (NOT private) to the remote host onl.arl.wustl.edu. If you now try to SSH to onl.arl.wustl.edu, the onl user host (currently onl03) will ask you for your passphrase instead of your password because you have added your public key to the authorized_keys file. (NOTE: You SSH to onl.arl.wustl.edu, but the remote ONL host will have a specific name such as onl03 which will show up in your command line prompt.)
3. Start your SSH agent

	eval `ssh-agent`
	

Notice that we are using backquotes, NOT the normal forward quote characters. The SSH agent is now running. The agent has outputted two commands on stdout, and when evaluated by the shell defined two environment variables: SSH_AUTH_SOCK and SSH_AGENT_PID . Enter the command "printenv | grep SSH_A", and you will get output that looks like:

	SSH_AUTH_SOCK=/tmp/ssh-sTNf2142/agent.2142
	SSH_AGENT_PID=2143
	

which says that process 2143 is the ssh-agent and it is listening for requests on the Unix Domain socket /tmp/ssh-sTNf2142/agent.2142.
4. Add your private key to your SSH agent's cache

	ssh-add		# respond with your paraphrase
	

This adds your private key to the list of private keys held by ssh-agent. You can now verify that you can ssh to onl.arl.wustl.edu without a password (or paraphrase) by enterring the command "ssh onl.arl.wustl.edu". In fact, any subshell of the current shell will not need to enter a password when SSHing to onl.arl.wustl.edu as long as the agent is running because the SSH environment variables are passed to all children of the current shell.

But if you have gotten this far, you might as well make it really convenient to start/stop the SSH agent by starting the SSH agent as a parent of your login session. For example, you can add one of the following lines to your ~/.xsession file making the terminal session a subprocess of ssh-agent:

	ssh-agent startkde
	ssh-agent gnome-session

1. Install PuTTY:

   PuTTY is a free implementation of Telnet and SSH for Win32 and Unix by Simon Tathum. You should be able to get PuTTY software at www.chiark.greenend.org.uk/~sgtatham/putty/ or do a Google search. We use PuTTY on Windows systems although it can also be used on Unix. If you are running Linux, you should already have all the tools you need since it normally comes with Open SSH. You will need as a minimum PuTTY (telnet and SSH client), Pageant (authentication agent) and PuTTYgen (key generation utility), but you might as well get all of the PuTTY tools. Follow the installation instructions.

2. Configure PuTTY

   Run PuTTY, and you will get a window like the one shown to the right. Adjust the following categories: Session: Check the SSH protocol, and enter onl.arl.wustl.edu in the Host Name (or IP Address) box. Connection: Enter your auto-login name. The figure to the right shows that I entered ken as my auto-login name. Connection => SSH : Select SSH version 2 (not shown). Connection => SSH => Auth : Check Allow agent forwarding (as shown to the right).

   Session: Fill out the Saved Sessions section. The figure to the right shows that I enterred ken settings into the top Save Session dialogue box and selected Save to save the current settings. The new label is shown in the second Save Session box along with the other saved sessions.

   You can test this setting by selecting ken settings, and select Load. A PuTTY command window should appear prompting you for your password. No login name will be requested because the above setup has defined your auto-login name. Now, we can move on to removing the need to enter the password.

3. Create your identity on your client

   Run puttygen

   You should see a window like the partially hidden one to the right.

   Select SSH2 DSA

   as the type of key to generate

   Select Generate

   While your public/private key pair is being generated, you should move the mouse around in the Public key for pasting ... window (PuTTY will ask you to do this). This movement will be used in generating the public/private keys.

   
   Enter a Key Passphrase and Confirm the Passphrase

   Choose something that is 10 or more characters containing a mix of upper and lower case letters, digits and punctuation that is not too hard to remember (e.g., a sentence with punctuation).

   Select Save public key

   Select a place to save the public key such as your home directory or a subdirectory such as .ssh. These instructions will assume that you saved the public key to the file ~/.ssh/id_dsa.pub.

   Select Save private key

   Save the private key in the same directory as the public key (e.g., ~/.ssh/id_dsa.priv).

4. Copy your public key to the ONL server

   The public key that you want to copy to the ONL server is the one shown in the Public key for pasting ... window. The format shown in that window is a little different than what is saved in the ~/.ssh/id_dsa.pub file. Use notepad or word to create the text (ASCII) file (e.g., pubkey.txt) for copying to the ONL server. Then, do the following:

   	scp ~/.ssh/pubkey.txt YOUR_LOGIN@onl.arl.wustl.edu:pubkey.txt
   	ssh YOUR_LOGIN@onl.arl.wustl.edu
   				# onl user host will prompt for a password
   	mkdir ~/.ssh		# only if you don't already have this dir
   	chmod 700 .ssh		# only you should be able to rwx this dir
   	cat pubkey.txt >> ~/.ssh/authorized_keys	# add public key
   	rm pubkey.txt		# cleanup
   	

   Replace YOUR_LOGIN with your login name. Make sure that you are copying the public key (NOT private) to the remote host. (NOTE: You SSH to onl.arl.wustl.edu, but the remote ONL host will have a specific name such as onl03 which will show up in your command line prompt.)

   Now, try to test the PuTTY SSH connection to onl.arl.wustl.edu.

   • Run PuTTY.
   • Load your saved session.
   • Select open

     If all goes well, a window to the ONL server will appear which does prompt for your login name but DOES prompt for your paraphrase.

   • Enter your paraphrase

     Now, if we run the PuTTY authentication agent pageant, we will also avoid the paraphrase prompt!

5. Start your SSH agent

   Run pageant You can do this from the Start menu or from your desktop. The pageant icon will appear in the task bar (as shown to the right).

6. Add your private key to your SSH agent's cache

   Right click the pageant icon in the task bar to get a menu. Select Add key and the large window shown to the right will appear. Open the private key file and a dialogue box asking for your paraphrase will appear. Enter your paraphrase and select OK.

   Your PuTTY authentication agent will now work with PuTTY to authenticate you to the ONL server. You should now be able to connect to the ONL server without any prompts.

The basic difference here is that since your client is a non-Open SSH client, it will generate a public/private key pair in SECSH format instead of OpenSSH format which is used by the ONL server. So, you will need to produce an Open SSH public key that will be included in the SSH authorization file on the ONL server. But the Open SSH version of ssh-keygen running on all of the ONL hosts can translate between the two key formats. In short, you will need to do the following:

• Generate a public/private key pair (your identity) on your client host.
• Translate the public key (SECSH format) to OpenSSH format and append the OpenSSH format public key to the ONL server's authorized keys file.
• Tell the client which file to use as your identity.
• Start your SSH agent
• Add your private key to your SSH agent's cache

1. Create your identity on your client
   Your identity is a private/public key pair. You will use a command (e.g., ssh-keygen) or a tool to generate the key pair. This will produce two files named usually by default as id_dsa_2048_a and id_dsa_2048_a.pub which are in SECSH format.
2. Translate the public key (SECSH format) to OpenSSH format ....
   • Use the ONL server to translate your id_dsa_2048_a.pub file to OpenSSH format:

     	CLIENT> scp id_dsa_2048_a.pub ONL:
     	CLIENT> ssh ONL
     	ONL>    ssh-keygen -if id_dsa_2048_a.pub > pubkey.txt
     

     Replace CLIENT and ONL with the real host names.
   • Append the public key to your ONL authorized keys file.

     	ONL>  cd ~/.ssh
     	ONL>  cat pubkey.txt >> ~/.ssh/authorized_keys	# add public key
     

3. Tell the client which file to use as your identity.

   	CLIENT> echo 'IdKey id_dsa_2048_a' > ~/.ssh2/identification
   

Using this client is much like using PuTTY except that this client uses keys that are in SECSH format; i.e., the tool looks like PuTTY but you will need to translate the public key to OpenSSH format.

NPR Tutorial >> Summary Information	TOC