Appendix B. Advanced: Password-less Authentication With SSH

Table of Contents
Generating SSH keys
Creating an authorized_keys2 file.
Using ssh-agent
Killing ssh-agent

Generating SSH keys

In addition to password authentication, ssh can use an encryption authorization method. Instead of typing a password, you authenticate to the remote computer by means of a special file, that you might think of as a ``key''. Done correctly, this can allow you to login to remote machines without requiring you to enter a password every time.

The first step for password authentication is generating a public/private key pair. This is a pair of files that together can be used to encrypt and decrypt data. One file is used for the encryption part of the process, and the other for decryption. Because of the way that these keys were designed, they can be used to authenticate a user to a system.

To begin, you must generate your key pair. The command to do this is ssh-keygen. By default, with the -t dsa option, this will create two files, id_dsa and id_dsa.pub. The id_dsa.pub file is referred to as the public half of your key, and id_dsa is the secret half of your key.

Example B-1. Generating a key pair.


$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/caleb/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):passphrase
Enter same passphrase again:passphrase
Your identification has been saved in /home/caleb/.ssh/id_dsa.
Your public key has been saved in /home/caleb/.ssh/id_dsa.pub.
The key fingerprint is:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 caleb@athlonsmp

Although leaving the passphrase empty can make it easier to do password-less logins, that is not the best approach. Without a passphrase, anyone that might get a copy of your id_dsa file could use it to impersonate you.