Menu

Published by
Categories: Server, Linux, HowTo

Typing SSH passwords again and again can be a real pain. For example: Lately I started to use Capistrano to deploy my rails applications. If I want to set up the maintenance-page on the server I’ll type cap deploy:web:disable which of course prompts me for the SSH password. Then I want to deploy my application with cap deploy and again will be prompted for the password. Finally I have to cap deploy:web:enable to remove the maintenance page which as mindful readers might have guessed already prompts for the password. This was just one reason for me to set up SSH authentication keys. At first I was a little worried that setting it up might be a bit complicated. Luckily I was disabused. If you want to switch to key based authentication too follow these simple steps.

Key generation

The first thing you need is - of course - a pair of keys: your private key and the associated public key. To generate both fire up our favorite shell (for me it’s bash) and type:

ssh-keygen

This will generate both keys and ask you where to store it. Usually the default would be something like ~/.ssh/id_rsa. Simply accept the default by pressing return. Next you’ll have to enter a password for your key and confirm it. Afterwards you’ve to tell the server to accept your key on authentication. Do so by uploading the public key to the server.

scp ~/.ssh/id_rsa.pub
yourserver.com:~/.ssh/authenticated_keys2

If you want to add multiple keys, be sure to append it to the authenticated_keys2 file and don’t overwrite it.

First login

That’s all you have to do to switch to key based SSH authentication. Try to log in as usual by typing:

ssh yourserver.com

This will prompt you for your key’s password and log you in to your server afterwards. “But wait! I’m still having to type my password every time I want to log in!” you shout, and you’re right - up to now. What you need to do is running ssh-agent, adding your key and typing your password. ssh-agent will then ask for the password and store it until you shut it down. You’ll have to do this everytime you open up a new shell or put the commands into your i.e. ~/.bash_profile. Quite comfortable but we can do better.

Keychain

There is a nice little tool called keychain that will smooth the process a little for you. It’s originally developed by the Gentoo people but it’s available on other linux distributions (as well as Mac OS X), too. Simply install it by typing your system’s equivalent to

# Gentoo
emerge keychain
# Debian
aptitude install keychain

and it’ll be available in no time. To set it up you need to put these two lines in our ~/.bash_profile:

keychain ~/.ssh/id_rsa
source ~/.keychain/$HOSTNAME-sh

That’s it. The first time you open up a shell keychain will start ssh-agent, prompt you for your keys password and remember the running ssh-agent for all new shells. On your next SSH authentication no more password typing is required. Wasn’t complicated at all, was it?

Update: Thanks to Michael for pointing out that the public key file is named id_rsa.pub instead of id_rsa. Fixed it.