User Tools

Site Tools


Automatic SSH Logins

How to make SSH logins safer (by using keys instead of short passwords) and simpler (by having less stuff to remember).

Creating your Identity

To identify your self you need a keypair (public and private key). Create it using ssh-keygen like this:

$> ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
88:13:b1:5e:36:eb:57:2d:5e:2e:0f:08:ab:72:61:be user@host

Be sure to use a good passphrase. Use a longer but easy to remember (for you) sentence.

Using Keychain

To avoid having to type the passphrase everytime you need to access your key (when using it to authenticate yourself), we use ssh-agent. And to make sure there is always a global ssh-agent running and the environment is set up correctly we utilize keychain.

Keychain is available as Debian package:

#> apt-get install keychain

Now we need to run it everytime it's needed - the best way is to include it into you ~/.bashrc like this:

#ssh keymanager
if [ "$PS1" ]; then
  if [ -e /usr/bin/keychain ]; then
    keychain ~/.ssh/id_dsa
    if [ -e ~/.ssh-agent-${HOSTNAME} ]; then
      . ~/.ssh-agent-${HOSTNAME}
    if [ -e ~/.keychain/${HOSTNAME}-sh ]; then
      . ~/.keychain/${HOSTNAME}-sh

This will call keychain if it is installed and add your identity to the running ssh-agent. If no ssh-agent is running it will start one and you will be asked for your passphrase. Then all needed environment info is written to ~/.ssh-agent-${HOSTNAME} or – depending on the keychain version – to ~/.keychain/${HOSTNAME}-sh which gets sourced into your .bashrc.

Try it:

$> echo $SSH_AGENT_PID 

Authenticate by Key

So now what to do with your shiny new identity stored in the running ssh-agent? Authenticate without a password of course! It's simple imagine a remote host you usually log on to with ssh and entering somebodys password. You only have to do this one more time - but this time use ssh-copy-id instead of ssh:

$> ssh-copy-id's password: 
Now try logging into the machine, with "ssh ''", and check in:


to make sure we haven't added extra keys that you weren't expecting.

Do as you're told and try to login. If everything went well you will not be prompted to enter a password anymore.

Take your identity with you

Do you have multiple host in your LAN to administrate? Do you sometimes hop from host to host? Well first of all copy your key to all these hosts as described in the last section. But this still will not allow you to log into Host A and going passwordless to Host B from there. This is because your identity (and your ssh-agent) are only running on your own machine - not on Host A.

SSH supports something called Agent-Forwarding. You can either remember to add the commandline option -A everytime you call ssh:

$> ssh -A

or you can add it to the /etc/ssh/ssh_config file on your host to enable it by default:

Host *
	ForwardAgent yes

To check if it worked you can use ssh-add to show your identity:

$> ssh-add -L

It should print your public key.

Managing SSH Connections

Now you're already able to login to all your favourite hosts without typing any passwords. Unfortunately you still have to type all the host- and usernames. Lets get another tool: connmgr. Download and install the Debian package:

$> wget
#> dpkg -i connmgr_1.0.0-1_all.deb

Now can add and use SSH connection profiles by using sshmgr:

Adding a new profile:

$> sshmgr -a remote

add profile: remote

enter hostname:
enter username [user]: somebody
enter port number [22]:
enter pre-command [none]:

successfully added the profile: "remote".

Connecting to a profile:

$> sshmgr remote

Jipp thats it. And the best thing is it supports BASH completion so sshmgr rem<TAB> does work :-D.

ssh.txt · Last modified: 2007/06/24 20:48 by andi