The ONL Tutorial

Tutorial >> Summary Information TOC

Password-Free SSH

This page explains how to avoid having to type in your password every time you connect to a host using SSH. If you want more information, do a Google search for "password-free SSH" or "password-less SSH". The ONL hosts use Open SSH. This fact is important because it determines how to generate your identity keys. In fact, if your client is running Open SSH already, the setup is close to trivial. Note that both the Open SSH keygen command and the PuTTY key generator can convert a key to Open SSH key format.

In short, this is what you have to do:

If you are running Unix or Cygwin, check whether you already have Open SSH installed and whether you are already running an SSH agent:
	ssh -version			# Is it some version of Open SSH?
	which ssh-agent			# Is there an SSH agent executable?
	which ssh-add			# Is there a program for adding
					#   keys to the agent?
	printenv | grep SSH_AGENT_PID	# SSH agent already running?
This page gives recipes for the above steps in these cases:
  1. Open SSH client
  2. PuTTY client
  3. Non-Open SSH client
  4. Commercial but free for educational use SSH client
Skip ahead to the appropriate section by clicking one of the above links. Open SSH Client

  1. Create your identity on your client
  2. Copy your public key to the ONL user host
  3. Start your SSH agent
  4. Add your private key to your SSH agent's cache

But if you have gotten this far, you might as well make it really convenient to start/stop the SSH agent by starting the SSH agent as a parent of your login session. For example, you can add one of the following lines to your ~/.xsession file making the terminal session a subprocess of ssh-agent:

	ssh-agent startkde
	ssh-agent gnome-session
Now, any process you create will inherit the SSH environment variables allowing ssh to communicate with the agent, and the ssh-agent process will automatically exit when you logout. PuTTY Client
  1. Install PuTTY:

    PuTTY is a free implementation of Telnet and SSH for Win32 and Unix by Simon Tathum. You should be able to get PuTTY software at www.chiark.greenend.org.uk/~sgtatham/putty/ or do a Google search. We use PuTTY on Windows systems although it can also be used on Unix. If you are running Linux, you should already have all the tools you need since it normally comes with Open SSH. You will need as a minimum PuTTY (telnet and SSH client), Pageant (authentication agent) and PuTTYgen (key generation utility), but you might as well get all of the PuTTY tools. Follow the installation instructions.

  2. Configure PuTTY
    Run PuTTY, and you will get a window like the one shown to the right. Adjust the following categories:

    Session:

    Check the SSH protocol, and enter onl.arl.wustl.edu in the Host Name (or IP Address) box.
    Connection:
    Enter your auto-login name. The figure to the right shows that I entered ken as my auto-login name.
    Connection => SSH :
    Select SSH version 2 (not shown).
    Connection => SSH => Auth :
    Check Allow agent forwarding (as shown to the right).
    Session:
    Fill out the Saved Sessions section. The figure to the right shows that I enterred ken settings into the top Save Session dialogue box and selected Save to save the current settings. The new label is shown in the second Save Session box along with the other saved sessions.

    You can test this setting by selecting ken settings, and select Load. A PuTTY command window should appear prompting you for your password. No login name will be requested because the above setup has defined your auto-login name. Now, we can move on to removing the need to enter the password.

  3. Create your identity on your client

    Run puttygen

    You should see a window like the partially hidden one to the right.
    Select SSH2 DSA
    as the type of key to generate
    Select Generate
    While your public/private key pair is being generated, you should move the mouse around in the Public key for pasting ... window (PuTTY will ask you to do this). This movement will be used in generating the public/private keys.

    Enter a Key Passphrase and Confirm the Passphrase
    Choose something that is 10 or more characters containing a mix of upper and lower case letters, digits and punctuation that is not too hard to remember (e.g., a sentence with punctuation).
    Select Save public key
    Select a place to save the public key such as your home directory or a subdirectory such as .ssh. These instructions will assume that you saved the public key to the file ~/.ssh/id_dsa.pub.
    Select Save private key
    Save the private key in the same directory as the public key (e.g., ~/.ssh/id_dsa.priv).

  4. Copy your public key to the ONL server

    The public key that you want to copy to the ONL server is the one shown in the Public key for pasting ... window. The format shown in that window is a little different than what is saved in the ~/.ssh/id_dsa.pub file. Use notepad or word to create the text (ASCII) file (e.g., pubkey.txt) for copying to the ONL server. Then, do the following:

    	scp ~/.ssh/pubkey.txt YOUR_LOGIN@onl.arl.wustl.edu:pubkey.txt
    	ssh YOUR_LOGIN@onl.arl.wustl.edu
    				# onl user host will prompt for a password
    	mkdir ~/.ssh		# only if you don't already have this dir
    	chmod 700 .ssh		# only you should be able to rwx this dir
    	cat pubkey.txt >> ~/.ssh/authorized_keys	# add public key
    	rm pubkey.txt		# cleanup
    	
    Replace YOUR_LOGIN with your login name. Make sure that you are copying the public key (NOT private) to the remote host. (NOTE: You SSH to onl.arl.wustl.edu, but the remote ONL host will have a specific name such as onl03 which will show up in your command line prompt.)

    Now, try to test the PuTTY SSH connection to onl.arl.wustl.edu.

  5. Start your SSH agent
    Run pageant
    You can do this from the Start menu or from your desktop. The pageant icon will appear in the task bar (as shown to the right).
  6. Add your private key to your SSH agent's cache
    • Right click the pageant icon in the task bar to get a menu.
    • Select Add key and the large window shown to the right will appear.
    • Open the private key file and a dialogue box asking for your paraphrase will appear.
    • Enter your paraphrase and select OK.
    Your PuTTY authentication agent will now work with PuTTY to authenticate you to the ONL server. You should now be able to connect to the ONL server without any prompts.
Non-Open SSH Client

The basic difference here is that since your client is a non-Open SSH client, it will generate a public/private key pair in SECSH format instead of OpenSSH format which is used by the ONL server. So, you will need to produce an Open SSH public key that will be included in the SSH authorization file on the ONL server. But the Open SSH version of ssh-keygen running on all of the ONL hosts can translate between the two key formats. In short, you will need to do the following:

The last two steps are the same as in any other case and will not be described here.
  1. Create your identity on your client
  2. Translate the public key (SECSH format) to OpenSSH format ....
  3. Tell the client which file to use as your identity.
Now you can test the setup by starting up an agent on your client. Commercial But Free for Educational Use SSH Client

Using this client is much like using PuTTY except that this client uses keys that are in SECSH format; i.e., the tool looks like PuTTY but you will need to translate the public key to OpenSSH format.

UNDER CONSTRUCTION

Revised: Wed, June 7, 2006
  

Tutorial >> Summary Information TOC