dougscripts.com

    Set up ssh

  • Setting up public/private keys for passwordless ssh login

In order for my user account to communicate with a user on another machine on the network (or another user on the same machine) using ssh, my account has to log in to an account on the other machine. The command to login requires the remote machine's IP address and the username of the account I want to access. In this case I want to ssh from the "dougadams" account on my Macbook Pro , where I'm working from, to the "cleanuser" account on the iMac, whose IP address on the network is "192.168.1.200". I would type this in Terminal on the Macbook Pro:

ssh cleanuser@192.168.1.200

After pressing the Return key, I'd be asked to enter the "cleanuser" account's password. A ssh session will be opened and I can perform various tasks on the "cleanuser" account from my "dougadams" account on the Macbook Pro using Terminal. When finished, I would type "exit" and Return to end the ssh session.

This is fine if you don't mind entering a password each time you want to ssh. But a script can't react to the call-and-response protocol of password entering. So we will give the "dougadams" account on my Macbook Pro the "secret key" to access the "cleanuser" account on the iMac which will allow me to ssh to the iMac securely without having to enter a password. We will also do the reverse: give the "cleanuser" account on the iMac the key to the "dougadams" account on the MBP, the procedure for which is illustrated below.

Each command should be entered as a single line in Terminal (using your username and IP address info where appropriate) and followed by a press of the Return key. The "$" represents your Terminal prompt however it may be configured (mine is "My-MBP:~ dougadams$"). You don't type the "$".

I am on my Macbook Pro and I will create a key for it that I will give to "cleanuser" on the iMac (substitute your own info):

$ssh-keygen -t rsa (Press Return and the response will be the default location for the new key. Just press Return at this prompt.) (You will be asked for a password. Don't enter one. Just press Return.) (You will be asked to verify the password. Again, don't enter anything and just press Return.) (The key will be created.) (Now, we need to copy the key to "cleanuser's" home directory on the other machine using scp - secure copy) $scp ~/.ssh/id_rsa.pub cleanuser@192.168.1.200:~/ (Press Return.) (Enter the password for "cleanuser" when prompted and press Return) (Start a ssh session so we can work on the remote computer) $ssh cleanuser@192.168.1.200 (Press Return.) (Enter the password for "cleanuser" when prompted and press Return) (The prompt will indicate that you are working in cleanuser's home directory) $mkdir .ssh (Press Return) (Create this directory if it doesn't exist already, in which case you will be notified) $cat id_rsa.pub >> .ssh/authorized_keys (Press Return) (This adds the key to "cleanuser's" list of authorized ssh keys) $rm id_rsa.pub (Press Return) (The key we copied over can be deleted) $chmod 644 .ssh/authorized_keys (Press Return) $chmod 700 .ssh (Press return) (Set permissions on the file and folder) $exit (Press Return) (Be sure to enter this to end the ssh session)

The ssh-keygen program generates an "id_rsa.pub" type key.1 We copy the key to the other machine and add it to its list of authorized keys. Whenever ssh is initiated from my MBP to "cleanuser" on the iMac with

ssh cleanuser@192.168.1.200

...the iMac allows the MBP access after shaking hands using the key it has on file. You never have to interact to enter a password which will make scripting stuff later a breeze.

To test that things have been done correctly, try ssh'ing in to the other machine. If you don't get a password prompt then you did things correctly. (Be sure to enter exit in Terminal to end the ssh session.) If you still get a password prompt, try the whole schmear again.

Once a key has been generated for a user, that key can be copied to any other user on any other machine, so you only have to perform ssh-keygen once for any user.

Be sure to perform this procedure between every machine that needs to communicate. Thus I would now go to the iMac and generate a key for "cleanuser", scp it to the "dougadams" account's home folder on the MBP, cat it to its authorized keys, and so on.

• • • next >>>
 

Get More Information:

See the section "KeyGen saves the day" (page 17) in the Leopard Server Quickstart Guide.pdf (which uses "id_dsa.pub" in the example) and this quick tutorial.

Also, see the man pages for:
ssh
ssh-keygen
scp
mkdir
cat
chmod

 

1There are many types of ssh key protocols, including "dsa" which is also seen in Mac use. I have noticed that rsync, which can call ssh, apparently looks for an "rsa" type key first so it's best to go with that type in this case. I do not know how rsync can be config'd for other key types but of course it is probably possible.

Site contents © 2001 - 2024 (that's right: 2001) Doug Adams and weblished by Doug Adams. Contact support AT dougscripts DOT com. About.
All rights reserved. Privacy.
AppleScript, iTunes, iPod, iPad, and iPhone are registered trademarks of Apple Inc. This site has no direct affiliation with Apple, Inc.
The one who says "it cannot be done" should not be interrupting the one who is doing it.