Of course this is not the right phrase for it. It should be something like “key-based authorization with SSH”. Or simply “publickey authorization”. Or “unattended ssh login”. But I guess you know what I mean.
Here are the steps:
- Create a public ssh key, if you haven’t one already.
Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one. ssh-keygen -t dsa should do the trick.
Please note that there are other types of keys, e.g. RSA instead of DSA. I simply recomend DSA, but keep that in mind if you run into errors.
- Make sure your
.ssh dir is 700:
chmod 700 ~/.ssh
- Get your public ssh key on the server you want to login automatically.
A simple scp ~/.ssh/id_dsa.pub remoteuser@remoteserver.com: is ok.
- Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.
Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server.
Simply issue something like cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.
- Instead of steps 3 and 4, you can issue something like this:
cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'
- Remove your public key from the home directory on the server.
- Done!
You can now login:
ssh -l remoteuser remoteserver.com or ssh remoteuser@remoteserver.com
That’s all you need to do.
Leave a Reply
October 18th, 2007 at 10:29 pm
On OS X, you must change the permissions of you public key in ~/.ssh to something like 600, otherwise it won’t be accepted as public key because it is too open..
October 19th, 2007 at 7:29 am
@Hendrik: I have included that. Thanks.
November 6th, 2007 at 7:36 am
Thanks for the informative post. You might like to know that your blog post shows up as the first result (as of this writing) for the search “automatic ssh login”.
I have one comment, however, you say “done” but then do NOT specify the ssh command line command to connect to the remote server using public key authorization.
Also, what happens when the username is not the same?
Ie, I’m user “joe@localhost” on my notebook, but I want to login to ssh.someserver.com as ‘johndoe’?
FC
November 6th, 2007 at 9:04 am
@Fernando: Thanks for the heads up, I have added what you asked for and hopefully clarified a bit.
December 17th, 2007 at 4:20 pm
I followed all above steps but still I am asked to select rsa fingerprints and password.
December 17th, 2007 at 8:26 pm
@Devesh: Your server needs to allow this, there are settings that can disable public key authentication.
December 22nd, 2007 at 2:50 am
In os x leopard, it is not necessary to chmod 600. I don’t really know what the details are, but it worked for me. Also, I used RSA instead of DSA because I’d already set up ssh key-based authorization with RSA (I looked up this guide because I’d forgotten what I did before).
Thanks for the clear directions!
John
January 20th, 2008 at 10:15 am
This article helped me in building automated file transfers from my test servers to deplyment servers. I could do it all without my notice, and schedule the uploads in cron. Pretty nice explanation.
But in line #5, it is better to write instead:
cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com ‘cat >> ~/.ssh/authorized_keys’
Just, I added ~/.ssh instaed of .ssh in the last.
January 20th, 2008 at 6:37 pm
@Bimal: Thanks for your suggestion I just edited the post.
February 8th, 2008 at 6:35 pm
Hi,
You can used extraputty :
# allow win32 application to send,receive data on Telnet, SSH, RLogin and Raw protocols.
# offers TestStand steps to send,receive data on Telnet, SSH, RLogin and Raw protocols.(installed by the windows installer)
# automatic sequencing of commands.
I hope that can help you. Asebt.
February 8th, 2008 at 6:38 pm
@asebt: This post is not about SSH clients, it’s about automatic login with ssh as the title suggests.
March 10th, 2008 at 4:06 pm
The whole process is much easier if you just use:
ssh-copy-id [-i [identity_file]] [user@]machine
1. ssh-keygen -t dsa
2. ssh-copy-id user@machine
done.
May 5th, 2008 at 12:18 pm
I did the things you have told..but its still asking for password.
These are the messages i got when i do ssh -v remoteserver.com
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /users/vchk/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /users/vchk/.ssh/id_dsa
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
remoteuser@remoteserver.com’s password:
Any suggestions about this?
May 5th, 2008 at 4:28 pm
@chiru I was having that same problem, and it turned out that the permissions on my home directory on the server I was connecting to were wrong…something to look at.
May 5th, 2008 at 4:36 pm
Thanks Keith…Removing group/others write permissions for home directory did the trick
July 6th, 2008 at 5:22 pm
In my case removing group write permissions from authorized_keys fixed it
August 31st, 2008 at 10:41 am
[…] Automatically ssh into machine See here for how to do that: http://wp.uberdose.com/2006/10/16/ssh-automatic-login/ […]
April 11th, 2009 at 10:39 am
[…] Para poder utilizar esto de forma automática, sería necesario tener las llaves de SSH preparados para un login automático. […]
August 4th, 2009 at 9:08 pm
On my NAS (Qnap TS-109 Pro II) there is no file called “authorized_keys”. There are only following files:
known_hosts
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key_pub
Does it not support key autenthication at all or how can I find out into what file I have to include my key?
August 4th, 2009 at 9:39 pm
If it doesn’t exist simply create it, non-existence doesn’t mean it’s not supported. If your login then fails it’s best to have ssh output verbose messages, that way you see what’s supported or rejected by the server.
August 17th, 2009 at 11:27 am
I did all the things you said… and even changed the permissions of the authorizedkeys file to 700 but i’m still getting prompt for password:
ssh -v osr@10.17.120.207
OpenSSH_4.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.17.120.207 [10.17.120.207] port 22.
debug1: Connection established.
debug1: identity file /users/osr/.ssh/identity type -1
debug1: identity file /users/osr/.ssh/id_rsa type -1
debug1: identity file /users/osr/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ‘10.17.120.207′ is known and matches the RSA host key.
debug1: Found key in /users/osr/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /users/osr/.ssh/identity
debug1: Trying private key: /users/osr/.ssh/id_rsa
debug1: Offering public key: /users/osr/.ssh/id_dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
any ideas what might be the problem?
August 17th, 2009 at 5:31 pm
Haven’t looked at ssh logs for quite some time. Your server has public key authentication enabled, so the problem shouldn’t be major. Is your user directory on the server world-writable? Some commenters had problems with this. You can also use -vvv for more details.
October 8th, 2009 at 5:30 pm
This article solved my problem for Solaris 10. The directory permissions are critical for it to work.
The user’s home & .ssh directorys on the remote machine must be set to 755 at a minimum. The permissions on authorized_keys does not see to matter. I set it to 777 and it worked fine.
After these permissions are set, then just do the following:
On the client:
ssh-keygen -t dsa
copy the resulting id_dsa.pub file to the remote machine’s .ssh directory
cat id_dsa.pub >> authorized_keys
2 things can happen from here:
If you entered a “passphrase” during ssh-keygen, you must:
ssh-agent $SHELL
ssh-add
Now you can just ssh to the remote machine without being prompted for the passphrase. This process of running ssh-agent and ssh-add will need to be done in every new shell instance.
If you did NOT enter a passphrase during ssh-keygen, there is no need to run ssh-agent & ssh-add
October 22nd, 2009 at 2:12 pm
Your tip seems useful, but do you now a way to make it work with web-based ssh clients like http://electrica-ms.mures.rdsnet.ro/ ?
October 22nd, 2009 at 2:25 pm
Since you can’t generate a key on their host: No.
November 7th, 2009 at 6:26 pm
Once you have created your public key you can use the “ssh-copy-id” command to copy it direct to the host and modify all the files you need.
November 10th, 2009 at 12:01 pm
I’d make the last line
‘cat >> ~/.ssh/authorized_keys && sort -u -o ~/.ssh/authorized_keys ~/.ssh/authorized_keys’
so that if you run it multiple times you only get a single entry in the authorised keys file
December 8th, 2009 at 1:26 pm
[…] machine using ssh but not having to do the ssh key sharing thats explained in many posts including this one. You could use expect to do the same thing and more. Below is a script that you pass the domain you […]
January 20th, 2010 at 10:27 am
Hi,
Having issue on setting up automatic SSH login on Solaris 10.
1. I already removed the write permission from group and others on the home directory as well as the $HOME/.ssh. please refer below:
$ pwd
/export/home/userX
$ ls -ld /export/home/userX
drwxr-xr-x 4 userX other 512 Jan 20 08:52 /export/home/userX
$ ls -ld .ssh
drwxr-xr-x 2 userX other 512 Jan 20 08:53 .ssh
$ ls -l .ssh
total 10
-rw-r–r– 1 userX other 450 Jan 20 08:54 authorized_keys
-rw——- 1 userX other 887 Jan 20 08:49 id_rsa
-rw-r–r– 1 userX other 225 Jan 20 08:49 id_rsa.pub
-rw-r–r– 1 userX other 450 Jan 20 08:50 known_hosts
-rw-r–r– 1 userX other 225 Jan 20 08:53 ServerA_id_rsa.pub
$
2. I have the save permission setup on my other server and it’s working there.
3. I also compared the sshd_config and ssh_config of this server that is having issue and the one that is working and found no difference.
4. As user root on this server, it is working. (as root, “ssh localhost” is working, but as normal user, “ssh localhost” asks for password, as well as normal user from remote machine).
Any idea?
Thanks!
January 20th, 2010 at 10:44 am
The two servers you are speaking of might have different binaries installed, with different options compiled in (just a guess). ssh’s verbose logging (-v, -vv, -vvv) can show you what is offered and what is rejected.
January 20th, 2010 at 10:12 pm
You should also need to run ‘chmod 700 ~/.ssh/authorized_keys’ on the server for this to work
January 28th, 2010 at 7:11 pm
#23 stumped Says:
October 8th, 2009 at 5:30 pm
The user’s home & .ssh directorys on the remote machine must be set to 755 at a minimum.
>> Thanks Stumped, that finally solved my problem of connecting a Macosx client to a Linux server over SSH without password!
February 7th, 2010 at 6:03 pm
Beautiful post. Step by step exactly what I needed (except that I used an RSA key) to scp and ssh with no hassle. THANKS!
February 10th, 2010 at 2:23 pm
I’m much more productive now. Just by one click I’m logged in to my build machine & ready to work.
Thanks,
Arun Kumar B
April 6th, 2010 at 1:17 pm
Just an advice, if you are using windows to login to your linux server then simply after step 4 copy paste (you can use winscp for this) the id_rsa file to the following windows directory: C:\Documents and Settings\accountname\.ssh
Thanks