Passwordless logins
friday, may 23rd, 2008 5:48am
[These are notes from a project I worked on in grad-school in 2003-2004. As part of a 'voting' project, I wanted to automate the backup of a postgres database to an offsite location via a dump and rsync. In order to script the backup, my server needed to be able to automatically login to the backup server. A fellow student, J.E., and I worked on this piece together.
Recently a co-worker described a need to do something different, but similar in some ways, so I dug up these notes and pasted 'em in here, fairly raw. Note to hackers: the servers mentioned are long offline.]
Instructions
Generate the key...
[toolbox:~/Desktop] birkin% [toolbox:~/Desktop] birkin% ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/birkin/.ssh/id_rsa): /Users/birkin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/birkin/.ssh/id_rsa. Your public key has been saved in /Users/birkin/.ssh/id_rsa.pub. The key fingerprint is: 71:04:1a:69:d4:ee:4a:d5:a8:b6:77:65:20:68:12:df birkin@toolbox.local [toolbox:~/Desktop] birkin%The '-t rsa' flag specifies ssh 2 protocol
Examine the created keys...
[toolbox:~/.ssh] birkin% [toolbox:~/.ssh] birkin% ls -alF total 48 drwx------ 7 birkin staff 238 16 Jun 21:15 ./ drwxr-xr-x 57 birkin staff 1938 16 Jun 17:06 ../ -rw------- 1 birkin staff 883 17 Jun 08:05 id_rsa -rw-r--r-- 1 birkin staff 230 17 Jun 08:05 id_rsa.pub -rw------- 1 birkin staff 535 16 Jun 20:39 identity -rw-r--r-- 1 birkin staff 339 16 Jun 20:39 identity.pub -rw-r--r-- 1 birkin staff 5351 16 Jun 20:56 known_hosts [toolbox:~/.ssh] birkin%The 'identity' files listed were generated when I was initially trying 'ssh -t rsa1', the ssh 1 protocol, and I believe can be ignored.
[toolbox:~/.ssh] birkin% [toolbox:~/.ssh] birkin% cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0xmINQ6w3KGgxEexNJeb5bRDhOyp3R5zWfL6L5ghb8TqWDoF/x1e4KxoVp3NEMd594QISQzb4w74ZNkdGKnIqOEHs1Uy3zbutijsPQhWqXvZ40AMbOpOjawLAcrTWUfqmBcC7MW54cOiu2FIzvlHJhYVOBCyy1nBVduGJUPF5s= birkin@toolbox.local [toolbox:~/.ssh] birkin%Copy the public key to a file titled 'authorized_keys' which will be transferred to the remote computer(s) that I want to connect to.
[toolbox:~/.ssh] birkin% [toolbox:~/.ssh] birkin% cat id_rsa.pub > ~/Desktop/authorized_keys [toolbox:~/.ssh] birkin%Let's take a look to make sure it looks right...
[toolbox:~/.ssh] birkin% [toolbox:~/.ssh] birkin% cd ~/Desktop/ [toolbox:~/Desktop] birkin% [toolbox:~/Desktop] birkin% ls -alF total 64 drwxr-xr-x 7 birkin staff 238 17 Jun 08:21 ./ drwxr-xr-x 57 birkin staff 1938 16 Jun 17:06 ../ -rwxr-xr-x 1 birkin staff 21508 17 Jun 08:20 .DS_Store* -rw-r--r-- 1 birkin staff 253 2 Nov 2003 .bash_profile -rw-r--r-- 1 birkin staff 0 20 Apr 2003 .localized -rw-r--r-- 1 birkin staff 230 17 Jun 08:21 authorized_keys drwxr-xr-x 42 birkin staff 1428 17 Jun 08:20 envelope/ [toolbox:~/Desktop] birkin% [toolbox:~/Desktop] birkin% cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0xmINQ6w3KGgxEexNJeb5bRDhOyp3R5zWfL6L5ghb8TqWDoF/x1e4KxoVp3NEMd594QISQzb4w74ZNkdGKnIqOEHs1Uy3zbutijsPQhWqXvZ40AMbOpOjawLAcrTWUfqmBcC7MW54cOiu2FIzvlHJhYVOBCyy1nBVduGJUPF5s= birkin@toolbox.local [toolbox:~/Desktop] birkin%Looks good.
Transfer the 'authorized keys' file from my OS X laptop to the remote computer...
[toolbox:~/Desktop] birkin% [toolbox:~/Desktop] birkin% rsync -v -e /usr/bin/ssh ~/Desktop/authorized_keys birkinbackup@harmonicas.msie.marlboro.edu:/home/birkinbackup/authorized_keys birkinbackup@harmonicas.msie.marlboro.edu's password: authorized_keys wrote 316 bytes read 42 bytes 31.13 bytes/sec total size is 230 speedup is 0.64 [toolbox:~/Desktop] birkin%Make sure it looks right on the remote computer...
[toolbox:~/Desktop] birkin% [toolbox:~/Desktop] birkin% ssh birkinbackup@harmonicas.msie.marlboro.edu birkinbackup@harmonicas.msie.marlboro.edu's password: [birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ ls -alF total 64 drwx------ 3 birkinbackup birkinbackup 4096 Jun 17 08:27 ./ drwxr-xr-x 6 root root 4096 Jun 12 15:01 ../ -rw-r--r-- 1 birkinbackup birkinbackup 230 Jun 17 08:27 authorized_keys -rw------- 1 birkinbackup birkinbackup 6306 Jun 17 08:22 .bash_history -rw-r--r-- 1 birkinbackup birkinbackup 24 Jun 12 15:01 .bash_logout -rw-r--r-- 1 birkinbackup birkinbackup 191 Jun 12 15:01 .bash_profile -rw-r--r-- 1 birkinbackup birkinbackup 124 Jun 12 15:01 .bashrc -rw-r--r-- 1 birkinbackup birkinbackup 29 Jun 17 08:29 datecrontest -rw-r--r-- 1 birkinbackup birkinbackup 847 Jun 12 15:01 .emacs -rw-r--r-- 1 birkinbackup birkinbackup 120 Jun 12 15:01 .gtkrc drwx------ 2 birkinbackup birkinbackup 4096 Jun 17 00:20 .ssh/ -rw-rw-r-- 1 birkinbackup birkinbackup 14220 Jun 12 18:59 testdump [birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0xmINQ6w3KGgxEexNJeb5bRDhOyp3R5zWfL6L5ghb8TqWDoF/x1e4KxoVp3NEMd594QISQzb4w74ZNkdGKnIqOEHs1Uy3zbutijs+PQhWqXvZ40AMbOpOjawLAcrTWUfqmBcC7MW54cOiu2FIzvlHJhYVOBCyy1nBVduGJUPF5s= birkin@toolbox.local [birkinbackup@harmonicas birkinbackup]$Looks good.
Move the file to the right place on the remote computer...
[birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ cat authorized_keys >> .ssh/authorized_keys [birkinbackup@harmonicas birkinbackup]$The double brackets 'append' instead of overwrite. Also, I've checked this out -- the append is correct for our purposes in that it appends the new string on the following line. Actually, what would be nicer for inspection is this...
[birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ echo "" >> .ssh/authorized_keys [birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ cat authorized_keys >> .ssh/authorized_keys [birkinbackup@harmonicas birkinbackup]$Let's check out the 'real' authorized_keys file (I should name the transfer file something else in the future to avoid any confusion)...
[birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ cd .ssh/ [birkinbackup@harmonicas .ssh]$ [birkinbackup@harmonicas .ssh]$ ls -alF total 24 drwx------ 2 birkinbackup birkinbackup 4096 Jun 17 00:20 ./ drwx------ 3 birkinbackup birkinbackup 4096 Jun 17 08:27 ../ -rw-r--r-- 1 birkinbackup birkinbackup 975 Jun 17 08:42 authorized_keys -rw------- 1 birkinbackup birkinbackup 887 Jun 17 07:24 id_rsa -rw-r--r-- 1 birkinbackup birkinbackup 251 Jun 17 07:24 id_rsa.pub -rw-r--r-- 1 birkinbackup birkinbackup 603 Jun 16 17:34 known_hosts [birkinbackup@harmonicas .ssh]$ [birkinbackup@harmonicas .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAu4tdcJlZldiAAnfviR3vXWGjwWa4For/kbi/FvBTeTEtctxsS72/ppn5vFydv4V5iLDVdfWKrnTIwfn8BHinq2yvdX9OLsEyjzBqbu+ZIZCi7UefJxEWCdOGtDd0YWiJbQJkyuoHs4ShwF5YcuMcnmiEjOUWJ7B5N9QkXeD3wc0= birkinbackup@harmonicas.msie.marlboro.edu authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3+PWa9l6hu6sY43u5FASYr26AhRrUQDqcjT5VO+wePg2OaQyTedcNkRIGG6tVquFC+AXH5BOkI+EJAfSCJG2AE0YxSrM16rMgPM1wADJBlmhumiY5wuX5ROOc0azPpvLyjZwwFsSxgqpdtNtvwUCQEl94y3H5qqOvXtR+IVtp30= birkin@toolbox.local authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0xmINQ6w3KGgxEexNJeb5bRDhOyp3R5zWfL6L5ghb8TqWDoF/x1e4KxoVp3NEMd594QISQzb4w74ZNkdGKnIqOEHs1Uy3zbutijs+PQhWqXvZ40AMbOpOjawLAcrTWUfqmBcC7MW54cOiu2FIzvlHJhYVOBCyy1nBVduGJUPF5s= birkin@toolbox.local ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0xmINQ6w3KGgxEexNJeb5bRDhOyp3R5zWfL6L5ghb8TqWDoF/x1e4KxoVp3NEMd594QISQzb4w74ZNkdGKnIqOEHs1Uy3zbutijs+PQhWqXvZ40AMbOpOjawLAcrTWUfqmBcC7MW54cOiu2FIzvlHJhYVOBCyy1nBVduGJUPF5s= birkin@toolbox.local [birkinbackup@harmonicas .ssh]$The last line is the one we most recently created; the space preceding it is the result of the echo command; the lines 'authorized_keys' are mistakes from issuing echo in my experimentation instead of cat. I'm leaving these in to illustrate that there is tolerance for non-matching entries.
Try connecting...
[birkinbackup@harmonicas .ssh]$ [birkinbackup@harmonicas .ssh]$ exit logout Connection to harmonicas.msie.marlboro.edu closed. [toolbox:~/Desktop] birkin% [toolbox:~/Desktop] birkin% ssh birkinbackup@harmonicas.msie.marlboro.edu [birkinbackup@harmonicas birkinbackup]$No password-prompt: success!
Possible 'gotchas'
Before actually trying a connection-script, run a manual ssh first; you may have to once manually ok that key-exchange message you normally see on a first-time ssh.
If things aren't working, it could be a permissions issue...
J.E. sent me a link [2008 note: this was in 2004] to http://kimmo.suominen.com/ssh/ and pointed out the caution to check file and directory permissions if connections still aren't working right after configuring everything.
This site shows permissions to the ~/.ssh/ directory that allow writing by 'group', even though the text says only the 'owner' should have write permissions to that directory. On my account on the remote-computer, my ~/.ssh/ directory initially allowed group-write permissions, and passwordless login was not working. Changing those to...
drwx------ 2 birkinbackup birkinbackup 4096 Jun 17 16:18 .ssh/...allowed passwordless login to work. The beauteous text...
[toolbox:~] birkin% [toolbox:~] birkin% ssh birkinbackup@harmonicas.msie.marlboro.edu [birkinbackup@harmonicas birkinbackup]$ [birkinbackup@harmonicas birkinbackup]$ ssh birkinbackup@play.msie.marlboro.edu [birkinbackup@play birkinbackup]$No password required. Sweet.
Comment architecture not yet implemented -- for now email comments to birkin.diana@gmail.com; selected comments will be displayed here.