If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
A Trust relationship can be established for users on multiple servers running OpenSSH to allow a password free ssh session. This is sometime important when you want to run scripts or commands remotely.
Let’s assume ServerA and ServerB both run the ssh daemons.
To allow ServerA to SSH to ServerB without password, please try the following:
# ssh-keygen -t rsa
Note: User here is root
This generates two files id_rsa.pub and id_rsa
Now, this needs to be copied to the authorized_keys file on ServerB
# scp id_rsa.pub ServerB:~/.ssh/authorized_keys
Enter password when prompted.
Note: If the ServerB is already having a trust relationship with more that one hosts already then the above will wipe the contents and write this key alone. In which case, copy the file to the remote server as something like ServerA_rsa.pub and then append the contents to authorized_keys as follows. This will allow the existing authroized_keys from being wiped off.
# scp id_rsa.pub ServerB:~/.ssh/ServerA_rsa.pub
# cat ServerA_rsa.pub >> authorized_keys
Thats it. Test if you are able to do a ssh from ServerA without a password:
# ssh serverB uname -a
This will run the command “uname -a” on ServerB and returns the result on ServerA.
The same procedure has to be followed in the reverse to allow ServerB to talk back to ServerA without any password.
And, if there is anyone other server to be added to the existing list follow the same procedure ensuring the key is appended to the remote servers authorized_keys file and not by overwriting it.
You may also be interested in...
December 30th, 2006 at 12:04 pm
scp and cat of your ID is obsolete since ssh-copy-id exists.
January 1st, 2007 at 4:18 am
This article is a little bit of a simplification of what one can/should do while using SSH. For example, generally speaking, using DSA keys over RSA is recommended (security reasons). As always, there are pros and cons. However, generally speaking, DSA is a better choice. Also, this article fails to mention that once a “key phrase” (referred to as ‘password’ here) is entered, your idea of ‘passwordless’ log on flies out the window in a jiffy. You can go with kludges like “ssh-agent” to manage your key phrases but the bottom line is, we all want a passwordless authentication. Well, then let’s say it: press ENTER when prompted for a password while generating a key and let’s spare those who search for the answers on how to do this any further investigations.
If one is really paranoid about having one’s keys without a key phrase, then, you can protect it (to an extent) on the remote site by specifying what host a particular key can be accepted from via authorized_keys file. But this is a discussion for a later time.
January 1st, 2007 at 1:50 pm
The only problem with this is that this only works until you logout and then you have to restart the agent and put in the passphrase…it’s still cool though.
January 7th, 2007 at 7:09 pm
Tim this is not a problem since pam-ssh is available. So with your KDM/GDM/XDM login you can give the ssh-agent the passphrase - call it single-sign-on.
March 6th, 2007 at 3:59 pm
Nice, I follow your post and it work, but u forgot to add that in place of password you have to use the passphrase… I’m intrest in accessing the ssh-server like rsh without any type of autentification..
March 6th, 2007 at 4:13 pm
Ok… I figured out, u need to run ssh-agent and ssh-add to use this like I whant. I’t works but it dependes of the ssh-agent and that ok for me…
Thanx.
June 14th, 2007 at 4:01 pm
Hi,
I am trying to connect from a UNIX machine to a Windows SSH server without a password entry.
I tried the steps above but I have no luck in doing it.
Any suggestions?