HOWTO SSH without a password
In other languages: English | Afrikaans | Albanian | Arabic | Brazilian | Bulgarian | Catalan | Chinese | Croatian | Czech | Danish | Dutch | Esperanto | Estonian | Filipino | Finnish | Flemish | French | German | Greek | Hebrew | Hindi | Hungarian | Indonesian | Italian | Japanese | Latvian | Lithuanian | Macedonian | Malay | Malayalam | Norwegian (Bokmål) | Norwegian (Nynorsk) | Persian | Polish | Portuguese | Romanian | Russian | Serbian | Slovak | Slovenian | Spanish | Swedish | Turkish | Ukrainian | UrduContents |
Unix
Key Generation
- A RSA key pair must be generated on the client system. The public portion of this key pair will reside on the servers being connected to, while the private portion needs to remain on a secure local area of the client system, by default in ~/.ssh/id_rsa. The key generation can be done with the ssh-keygen(1) utility.
To generate your key pair, use the following command:
ssh-keygen -t rsa
Accept the default location and filename, then enter your passphrase.
Do not use your account password, nor an empty passphrase. The password should be at least 16 characters long, and not a simple sentence. One choice would be several lines to a song or poem, interspersed with punctuation and other non-letter characters.
- The file permissions should be locked down to prevent other users from being able to read the key pair data. OpenSSH may also refuse to support public key authentication if the file permissions are too open. These fixes should be done on all systems involved.
chmod go-w ~/ chmod 700 ~/.ssh chmod go-rwx ~/.ssh/*
Key Distribution
- The public portion of the RSA key pair must be copied to any servers that will be accessed by the client. The public key information to be copied should be located in the ~/.ssh/id_rsa.pub file on the client. Assuming that all of the servers use OpenSSH instead of a different SSH implementation, the public key data must be appended into the ~/.ssh/authorized_keys file on the servers.
To install your identity.pub in a remote machine’s authorized_keys, use
ssh-copy-id [user@]machine
Testing it out
You should now be able to connect from your local machine using your key to authenticate the connection.
LocalMachine$ ssh user@ns1.shellium.org
Enter passphrase for key '/home/user/.ssh/id_rsa':
Windows
Programs
You need these programs to identify to your SHellium account without entering your password:
- SSH-Client and Key-Generator
PuTTY, PuTTYgen and Pageant in a single installer:
- (S)FTP Client
WinSCP, a SFTP-Client. It works with PuTTY-keyfiles and Pageant:
Generating your keys
First, install the programs. Then start PuTTYgen.
The presets are adequate in most cases. For higher security increase the keylength from 1024 to 2048. Now click Generate to generate a public and a private key. Move your cursor over the blank area to generate random numbers for the key-computing. Some seconds later the keys are ready.
- Your public key is displayed in the text area in the top. Copy it to a text editor (e.g. Notepad), and save it as authorized_keys. The filename has to be lower case and no file extension. This key will be saved on the server.
- Now you can enter a comment for your private key (e.g. user@shellium.org), but you don't have to. However, you should enter a Key passphrase. This is a password to access your key. You have to enter it everytime you use your private key. Confirm your password in the field below. Now click on Save private key. Save your private key in a secure place, where nobody can get to it.
Note: It is not necessary to enter a password. But you should do it nonetheless, because otherwise everybody can log in to your account if they get your key.
To use your private key with password as comfortable as a key without password see at the bottom of this page, using Pageant.
Now close PuTTYgen after saving your private and public key.
Configure the Server
The SHellium Server is already ready to login with your private key. All you have to do is to copy your public key to the server. Start WinSCP and connect to shellium.org:
Enter ssh.shellium.org in the top field. Enter your user name and password in the fields below. Now you can connect to the server. You will see a window divided in two parts. The right half is your SHellium account. Change into the .ssh directory (if it doesn't exist yet you can make it yourself using "mkdir .ssh" through your ssh client, the folder should be in your home directory). Now copy the authorized_keys file with your public key into this directory. You can simply drag and drop it on the WinSCP window. The server is ready now. You can close WinSCP now.
Configure PuTTY
Now you have to configure PuTTY. You only need to edit three Options to connect.
Start at the Session option. Enter ssh.shellium.org in the field Host Name. make sure the port is 22 and SSH is activated.
Now go to the Data' option under Connection. Enter your username in the Auto-login username field.
The last thing to do is loading your private key. Go to the Auth option under SSH in Connection and load your private key. Make sure to also check Attempt authentication using Pageant. You will need it later if you use Pageant.
Return to the Session option.
Enter a name for these settings and save it. You can load these settings later, so you don't have to enter them every time you start PuTTY. Now click Open to connect to your SHellium account. If you have entered a password for your private key, enter it now.
Configure WinSCP
Start WinSCP.
Enter the server name and your username. Now load your private key instead of entering your password. You can save your settings now. Click Login to start the connection. If you have entered a password for your private key, you will be prompted for your password. If you want to use pageant, you don't need to make any special settings, WinSCP uses Pageant automatically.
Configure Pageant
- Pageant was mentioned several times before; but what is Pageant?
Pageant is a keymanagement program. You can register your private keys in Pageant and, if the key is needed, Pageant supplies the key to the program that needs the key (e.g. PuTTY, WinSCP). Furthermore, Pageant saves the password to unlock the private key, so you have to enter your password only one time instead of every time you need your private key. So Pageant combines the security of password protected keys with the comfort of a password free key.
To use Pageant, you have to start it first. Start the Pageant that is in the PuTTY Folder in your Start Menu. After the start an icon appears in the system tray:
Double click the icon to launch the Pageant key list. Load your key(Add Key) and close the Window. That's it. To test it, right click the icon and choose the name you gave your PuTTY session in the Saved Sessions menu. You have to enter the password for your key, because it's the first time you've started Pageant. From now on you have to enter your key password only one time after starting Pageant. To test this, you can now start another shell. Right click on Pageant, and choose your PuTTY session.
