Lab preparation - Configure SSH for passwordless login
Follow these instructions to create an SSH configuration that will enable you to login from your local machine to a remote machine without having to enter a password. This assumes you have Linux or Mac OS X.
Create personal SSH configuration directory
Verify if you have a directory .ssh in your home directory. If not, create it:
mkdir ~/.ssh
The permissions of this directory have to block access for everybody except you. If not, SSH will refuse to work. Set the permissions using the following command:
chmod og-rwx ~/.ssh
If you display the permissions with the command ls -ld ~/.ssh
you
should see rwx
followed by 6 dashes ------
, like the following:
drwx------+ 21 marcel.graf staff 714 Jul 1 16:43 .ssh/
Create a public/private key pair
Run the following command to create a public/private key pair.
ssh-keygen -t rsa -b 2048
Respond to all prompts by entering nothing and just hitting
Enter. This will write the keys to the directory ~/.ssh
:
- a passwordless private key that is stored in the file
id_rsa
, - a corresponding public key that is stored in the file
id_rsa.pub
.
Enable a remote host for passwordless login
In this step you will login to the remote host using a password, and then configure SSH for passwordless login.
Log into the remote host:
ssh remotehost
If this is the first time you connect to this host with SSH you should see a warning message similar to the following:
The authenticity of host 'remotehost (193.134.216.182)' can't be established.
RSA key fingerprint is 0c:a1:f2:e9:a3:7d:31:76:4d:83:0c:37:a1:a9:04:f8.
Are you sure you want to continue connecting (yes/no)?
This message is meant to protect you from man-in-the-middle
attacks. (It is normal that this message appears the first time you
connect to a host. If it appears afterwards, something is fishy.)
Respond with yes
.
When prompted enter your password.
After you logged in create a directory ~/.ssh
and set its
permissions to rwx------
.
mkdir ~/.ssh
chmod go-rwx ~/.ssh
In the ~/.ssh
directory create an empty file authorized_keys
and
set its permissions to rw-------
:
touch ~/.ssh/authorized_keys
chmod go-rwx ~/.ssh/authorized_keys
Open the file authorized_keys
in an editor and add a new line
containing the content of your public key file id_rsa.pub
. (The line
will be very long and wrap around in the editor several times.) You
can use the clipboard to copy/paste it into the terminal window.
If you don't have an editor you can also use the cat
command to
append a line to the file:
cat >> ~/.ssh/authorized_keys
The command will wait for you to type a line. Copy/paste the content of the public key file into the terminal window and hit Enter.
Test that SSH works properly
Run the following command to login to the remote host:
ssh remotehost
You should immediately see the command line prompt of the remote host.
Troubleshooting
If SSH is still asking you for your password:
- On both the local and remote host verify the permissions of the
directory
~/.ssh
:rwx------
. - On the remote host verify the permissions of the file
authorized_keys
:rw-------
.
If you get the message "WARNING: UNPROTECTED PRIVATE KEY FILE!" verify
on the local host the permissions of the private key file id_rsa
:
rw-------
.