Secure SSH, CVS, SCP without Password Prompt
For the old version of this homepage I have used CVS to update the websites. I have done this via SSH, which is pretty secure but has the annoying disadvantage of asking for a password for each operation. If you can trust the security of your client computer, there is a way to get rid of the password altogehter, without loosing security:
- Suppose the domain name of your server is server, and your login name loginname.
- On the client, generate a public and private key.
ssh-keygen -C loginname@server -t dsa
When asked for a password, simply press return. The private key is stored in ~/.ssh/id_dsa, and the public key in ~/.ssh/id_dsa.pub. Never give the private key away!
- Copy the public file to the server with
scp ~/.ssh/id_dsa.pub loginname@server:~/
- Login on the server with
ssh loginname@server
append the copied file to ~/.ssh/authorized_keys with
cat ~/id_dsa.pub >>~/.ssh/authorized_keys
- If you want to enable this features on other servers, just repeat step 3 on each of the servers.
That’s it! If you have done everything correctly, the next time you login via SSH or use CVS over SSH, you will not need to enter a password yet you have a secure connenction.
July 12th, 2007 at 10:44 am
Hi, I know this is a rather old article, but I just found it on your “Top 10″.
I’d strongly recommend against using password-less private keys, as stealing the key also means stealing the ability to login to the other remote systems. I, for myself, use passwords for keys, and use tools like pageant (for PuTTY/Win32) and Gentoo Keychain. This allows me to have to just type in the key once per reboot. This is especially useful if you are using tools that depend on automatic login (like unison for instance).
Best regards,
Martin
July 12th, 2007 at 11:04 am
Hi Capi! I don’t see much of a security problem here. When the private key is stolen, the server can easily revoke the access rights for that user.
July 13th, 2007 at 7:26 am
Yes of course, you are right about this. Given you notice the theft. Ok, I agree, I am just a little bit over-cautious here (others may also call it paranoia ;-)).