» Login automatically with SSH keys

With SSH you can securely login to any Linux server and execute commands remotely. You can even use SSH to transfer and synchronize files from one server to another. Automating these tasks can make your life easier, but normally SSH prevents that because it requires you to login every time. Well, not anymore, in this article I will show you how to connect to SSH without a password.

About SSH keys

SSH keys allow machines to identify each other without you having to type the password every time. First we need to generate a key (it's nothing more than a randomly generated sequence of bytes, see it as a fingerprint) on the machine you're going to make the connection from. And then you install that unique key on the machine that needs to accept the connection.

Little helper script

Installing keys takes quite a couple of commands, not very easy to remember either. And if you have multiple servers, you might even want to automate the process of installing keys. No worries, I did this for you. So just download the helper script and install it. Open a terminal, and type:

su -  # If you're going to use the keys to automate tasks, become root first
mkdir -p ~/bin
wget -O- "https://github.com/kvz/kvzlib/raw/master/bash/programs/instkey.sh" > ~/bin/instkey.bash
chmod 755 ~/bin/instkey.bash

Running the script: installing keys

Now with the script in place, installing SSH keys is easy. To allow easy access to server.example.com just open a terminal and type:

~/bin/instkey.bash server.example.com

The first time you run the script, it will create the necessary keys, when it asks for a pass phrase, just hit enter. Then it logs in at server.example.com (now you need to enter the server's password for the last time ;), and it saves the key.

Installing ssh keys under a different user

Make sure you are logged in as the user you want to have passwordless ssh access. Let's say this user is called: kevin.

Goto the place you downloaded the instkey.sh script to, and type:

./instkey.bash server.example.com kevin

Notice the second argument? This will make sure keys from kevin aren't remotely installed to root, but to kevin as well. Easy right?

**Congratulations! **You can now type

ssh server.example.com

And you'll be logged in right away! Another great idea is to use this technology to automatically synchronize files with rsync.

Pitfalls

  • Of course you should really be carefull where and when to install ssh keys, because if one machine is comprimised, it's very easy for a cracker to hop to the next system without logging in. So choose wisely when to use this technology.
  • Keys are user user specific. So if you're going to run programs as root that need to automatically login to systems, you must also install the key as root.

You probably shouldn't follow me


Like this Article?

I'd appreciate it if you leave a comment, spread the word, or consider a small donation


Related

Articles like this one

» Synchronize files with rsync
» Block brute force attacks with iptables
» Schedule tasks on Linux using crontab
» Make SSH connections with PHP
» Make ISO images on Linux

tags: linux, SSH key, ssh
category: Howto - Webserver
read: 25,228 times

Add comment

(required, shown)(required, not shown)for syntax highlighting

[CODE="Javascript"]
your_code_here();
[/CODE]

Replace "Javascript"
with "php", "text", etc.code (to make sure you are not a spammer)

 Track replies: rss feed comments feed

Comments

#23. Kevin on 08 November 2010

Twitter.com: kvz@ JoGoFo: Thanks, I've updated the article!

#22. JoGoFo on 05 November 2010

Gravatar.com: JoGoFoThe script doesn't exist any more!
I can't download http://kevin.vanzonneveld.net/download/instkey.bash/

:(

#21. Kevin on 04 April 2010

Twitter.com: kvz@ Greg: Thanks ;)

@ achmad: You'd still have to do that manually. But it's easy. just remove the public key (1 line) form the authorized_keys file at the remote end.

#20. achmad on 30 March 2010

Gravatar.com: achmadtanks for script, its work...
but how to remove installed key ???

#19. Greg on 11 March 2010

Gravatar.com: GregAwesome little script Kevin, I've done this the hard way before but I didn't feel like "thinking" this time. :)

Good Karma sent your way....

#18. Kevin on 31 December 2008

Twitter.com: kvz@ dave: This only works for ssh. But since SFTP communicates over SSH, it could work if you're using SFTP. No need for special configuration or anything.

Though you may want to specify a user like this: 

dave@localhost# ./instkey.bash sftp.yourserver.com dave

#17. dave on 31 December 2008

Gravatar.com: davehi, this is a great post thanks. Do you know any way to automate this if the remote system is an ftp server?

#16. Kevin on 01 December 2008

Twitter.com: kvz@ Mohamed: That's currently not supported in the script. You may want to hack it in there by using the -p switch behind ssh.
I'm currently in the process of building a centralized bash library over at http://kvzlib.net, I may build support into it over there if needed.

#15. Mohamed on 27 November 2008

Gravatar.com: Mohamedwhat if the ssh port is different from the default 22 ?

#14. Kevin on 14 November 2008

Twitter.com: kvz@ Mike: Took a look at the source, and it looks cool Mike, thanks for sharing.

#13. Mike on 14 November 2008

Gravatar.com: MikeThis worked great for me thanks. I actually ported the script to Python for no real reason except that I like to keep all my little tools in Python. :)

If its useful to anyone, you can see it here:
http://pk-designs.com/tmp/install_key.zip

#12. Kevin on 03 November 2008

Twitter.com: kvz@ Steve: You are correct, I've updated the artciel. Thanks for helping out!

#11. Steve on 22 October 2008

Gravatar.com: SteveYou forgot to document a requirement of your script - the second host name argument for hostnames other than root@host.

An example is Puppy Linux's use of user Spot@host, for ssh rather than root. If you enter Spot@host, your script actually tries to use root@spot@host.

You did include code to allow non-root installation with the following two argument syntax:
... [more]
instkey.bash host username

but you forgot to mention it.

Hope this helps!

#10. Kevin on 27 August 2008

Default avatar:Kevin@ Luke Stanley: Could you be more specific?

#9. Luke Stanley on 29 July 2008

Default avatar:Luke StanleyIt didn't work...

#8. Fran on 25 July 2008

Default avatar:FranBeautiful little code, it really works!!
I've learned a little today, thanks!:-)

#7. adrian on 15 May 2008

Default avatar:adrianMake sure you update and re-generate all your keys on Debian-derived distros ..

#6. Kevin on 25 October 2007

Default avatar:Kevin@ Jeff: It would help if you'd be more specific.

#5. Jeff on 25 October 2007

Default avatar:JeffYea, it didn't work.

#4. Kevin on 26 September 2007

Default avatar:Kevin@ Manni: I will look into it, thanks again!

#3. Manni on 26 September 2007

Default avatar:ManniYou are right, cron-jobs make this a little more complicated, but it still works.

This article has some good information: http://www.ucolick.org/~sla/ssh/sshcron.html

Not only can you use passphrase-protected keys with cron jobs, you can also secure the remote machine so that it will only execute a certain command for a certain key.

#2. Kevin on 25 September 2007

Default avatar:Kevin@ Manni: Thanks I didn't know about that. But what about cronjobs? Do you know if you can automate ssh-add as well?

#1. Manni on 25 September 2007

Default avatar:ManniWhy recommend to skip the passphrase? Always secure your private keys with a passphrase or your in deep, deep trouble when someone can steal the key.

You might say that you are back to where you started, entering passphrases instead of passwords every time you want to access a remote machine. But you can simply run 'ssh-add' when you login and your passphrase will be remembered until you log out again.