Mod:Hunt Research Group/SSHkeyfile

How to... not have to enter your password for every single SSH connection because you have better things to do with your time

In case you are fed up with having to enter your password for every SSH connection you make, you can use a so called keypair. Be aware that this is a fairly complex business with a million and one possibilities to tweak and play around if you want. Be also aware that you are dealing with security issues and that you will have to make a few decisions, which could lower the overall security of your account. You are therefore encouraged to make use of google and have a look at the different (and far better) tutorials on this topic. In case you just want it to work and that's it, read on...

First open a terminal shell on the computer you want to connect from.

goto the directory were keys are stored

cd ~/.ssh''

Generate a key pair

ssh-keygen -t rsa -b 4096

the -t specifies the type of key to create and the -b specifies the number of bits in the key, the default length is 2048

it will ask you where to store the file, giving a default option which you accept

then it will ask for a passphrase, chose a nice one

Here is what the result should look like:

heiko@clove:~/.ssh$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/heiko/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
f0:da:dc:77:cf:71:12:c8:50:dc:18:a9:8d:66:38:ae heiko@clove.ch.ic.ac.uk
The key's randomart image is:
+--[ DSA 2048]----+
|           .o=   |
|           .+ .  |
|      .  ..+     |
|       oo =o..   |
|       .S+  o .  |
|       +..     . |
|      ..o . . o..|
|      E    . . +o|
|                o|
+-----------------+

The two files you just created are a key and keyhole. The first file id_rsa is the key. You should not ever ever ever give it to anybody else or allow anyone to copy it.

The second file id_rsa.pub the keyhole. If you open 'id_rsa.pub' it should contain one line of complete gibberish (it may look like more lines, but it is in fact just one long line, and you have to make sure not to add any additional line breaks). Mine looks like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwRDgM+iQg7OaX/CFq1sZ9jl206nYIhW9SMBqsOIRvGM68/6o6uxZo/D4IlmQI9sAcU5FVNEt9dvDanRqUlC7ZtcOGOCqZsj1HTGD3LcOiPNHYPvi1auEwrXv1hDh4pmJwdgZCRnpewNl+I6RNBiZUyzLzp0/2eIyf4TqG1rpHRNjmtS9turANIv1GK1ONIO7RfVmmIk/jjTQJU9iJqje9ZSXTSm7rUG4W8q+mWcnACReVChc+9mVZDOb3gUZV1Vs8e7G36nj6XfHw51y1B1lrlnPQJ7U3JdqPz6AG3Je39cR1vnfALxBSpF5QbTHTJOX5ke+sNKo//kDyWWlfzz3rQ== heiko@clove.ch.ic.ac.uk

The id_rsa.pub is public and you can give it to the computer you want to access without typing your password every time. I For example, give it to the hpc.

Now log in to the HPC and open (or create) the file '~/.ssh/authorized_keys'. In a new line at the end of this file, you should add a comment (starting with #) about where that keypair comes from and then in a second line you should copy&paste the complete contents of your 'id_rsa.pub' file. Close the 'authorized_keys' file.

#MAC in the office
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwRDgM+iQg7OaX/CFq1sZ9jl206nYIhW9SMBqsOIRvGM68/6o6uxZo/D4IlmQI9sAcU5FVNEt9dvDanRqUlC7ZtcOGOCqZsj1HTGD3LcOiPNHYPvi1auEwrXv1hDh4pmJwdgZCRnpewNl+I6RNBiZUyzLzp0/2eIyf4TqG1rpHRNjmtS9turANIv1GK1ONIO7RfVmmIk/jjTQJU9iJqje9ZSXTSm7rUG4W8q+mWcnACReVChc+9mVZDOb3gUZV1Vs8e7G36nj6XfHw51y1B1lrlnPQJ7U3JdqPz6AG3Je39cR1vnfALxBSpF5QbTHTJOX5ke+sNKo//kDyWWlfzz3rQ== heiko@clove.ch.ic.ac.uk

Now connect to the hpc. You will be asked for the passphrase for your keyfile. Enter it. You should now be logged in to the HPC. If you are not asked for the passphrase but for the password of your account, the Server does not accept your key pair.

So far, we have replaced entering the password for your account with entering the passphrase for your keypair. This is where a so called SSH-agent comes handy. The agent will store your passphrases for you so you do not have to enter them anymore. Luckily MacOS has one build in, that should have popped up and asked you, wether you want the agent to take care of your passphrases. If you said 'YES', that was the very last time you ever heard or saw anything of it or your passphrase. Similar agents exist for more or less every OS. From now on you just have to enter ssh user@server (or in my case 'ssh hpc if you followed the other tutorial) and you are logged in. No questions asked.

In case you are to lazy to se up a ssh-agent application, you can create a keyfile without a passphrase. But be aware, that everyone with access to that keyfile can log in to your account. So you should not use such a keyfile. It is very naughty.