To enable the remote login, you must create a pair of keys, one of them you'll place on the remote system. If you don't have a keypair generated, you need to create one. If you do have one handy, you can keep using it. By default, they will be in:
- ~/.ssh/identity and ~/.ssh/identity.pub (any older DSA key).
- ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub (a newer RSA key).
Generating keys
If you don't have any of these (or no ~/.ssh/) you need to generate one. You can create an RSA key like this:
myuser@localmachine:~$ ssh-keygen -t rsa
You should see something like the following:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/myuser/.ssh/id_rsa):
Created directory '/home/myuser/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/myuser/.ssh/id_rsa.
Your public key has been saved in /home/myuser/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx myuser@localmachine
The key's randomart image is:
+--[ RSA 2048]----+(...)+-----------------+
By default, it'll create a pair of files without a passphrase. That way you can use them in scripts without having to store or enter the password.
Copying the keys to the remote machine
Once you have the keys, you can append them to the remote server's authorized key list. Assuming you have the files in the default location, you can do this:
myuser@localmachine:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotemachine
To complete this, you'll have to enter the remote user's password to log in. It'll copy the file for you, creating a directory and changing permissions if needed. The contents will be appended to ~/.ssh/authorized_keys2 on the remote machine. You should see something like this (depending on whether or not you've logged in there before):
The authenticity of host 'remotemachine (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remotemachine,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts.
username@remotemachine's password:
Now try logging into the machine, with "ssh 'username@remotemachine'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Once that's done, you can log in remotely without entering a password, eg:
myuser@localmachine:~$ ssh username@remotemachine uptime
01:05:12 up 31 days, 11:21, 0 users, load average: 0.00, 0.00, 0.00
Troubleshooting
Some of the common problems:
- The remote server doesn't allow public key authentication.You'll probably have to update the SSH configuration. Edit the file /etc/sshd/sshd_config and uncomment or add the following lines:RSAAuthentication yesPubkeyAuthentication yesNow restart the SSH server:/etc/init.d/ssh restart
- Incorrect file permissionsThe .ssh file must not be writable by other users on the remote machine. If it is, you'll probably see the following in /var/log/auth:Apr 13 01:13:07 localhost sshd[18461]: Authentication refused:bad ownership or modes for directory /home/localmachine/.sshTo fid that, log in to the remote machine normally and run:cd ~chmod 700 .ssh
- Unsupported key type.Older machines may not support RSA key files. In that case, update the machine, or create and use DSA keys:ssh-keygenCopy the file using ssh-copy-id like before. And then, upgrade as soon as possible!!
Use at your own risk, obviously :-).