Password-free login with SSH
SSH (Secure Shell) is a replacement for telnet/rsh, which is
much more secure, as it does not, e.g., transmit passwords as plaintext
over the network.
For this reason, many computers (in particular large machines, which are
popular targets for hackers) allow access only via ssh.
By default, ssh asks you for your password, whenever you use it to login
onto another machine.
However, you can set things up in such a way that the login works
without this --- this does not compromise security.
The different flavours of ssh
The issue is unfortunately complicated by the fact that there are
different versions and even different vendors of ssh, who treat the
setup differently:
- ssh1
- is an older version of the ssh program. On some systems, the
program is simply what you get if you type `ssh'; on other systems,
you have to type `ssh1'.
- ssh2
- is a more recent version which uses a protocol different from
ssh1. On some systems, you have to type `ssh2' to get this version
of ssh.
The two different brands of ssh are
- The commercial version. If you have the commands `ssh1' and
`ssh2', this is what you have.
- OpenSSH. This is a free implementation of ssh and uses the single
command `ssh' only. If you want protocol 2, you use the flag `ssh -2'.
You can use the command
ssh[1|2] -v
to find out which version(s) of ssh you are using, where `ssh[1|2]'
stands for any of `ssh', `ssh1', `ssh2'.
Setting up ssh
Before you start using ssh on a new machine, you should run
ssh-keygen
For ssh2, the command is
ssh-keygen2
Note that, for the version 3.0 of ssh2, which is installed on the pool,
you have to create the file ~/.ssh2/idendtification containing the single
line
IdKey id_dsa_1024_a
-- this is supposedly a bug in this version, since older versions create
this file automatically when you run ssh-keygen2.
ssh-keygen[2] creates a directory ~/.ssh (ssh1 and OpenSSH) of
~/.ssh2 (ssh2), which contains a private-public pair of keys called
`identity' and `identity.pub' for ssh1 and OpenSSH; `id_dsa' and
`id_dsa.pub' for OpenSSH (if you use `ssh-keygen -d'); and
`id_dsa_1024_a' and `id_dsa_1024_a.pub' for ssh2.
The public files are the ones you have to copy from machine A, where you
have run ssh-keygen[2] to machine B if you want to be able to
login onto B without being asked for your password.
What exactly you have to do differs strongly with the different versions of
SSH:
SSH1
On machine B, copy the content of machine A's `identity.pub' to the file
`~/.ssh/authorization'
OpenSSH
If you use protocol 1, you do the same as for ssh1. For protocol 2, you
copy the content of machine A's `id_dsa.pub' to the file
`~/.ssh/authorization2'
You copy the file `id_dsa_1024_a.pub' from A into B's directory `~/.ssh2',
preferably under a more specific name like `id_dsa_machineA.pub'.
Then you add the line
Key id_dsa_machineA.pub
to the file `~/.ssh2/authorization'.
SSH2 on B, OpenSSH on A
In this case, you need to convert the public key before you proceed as
described above for SSH2.
See the note below on how to do this.
Here is an overview over the different flavours of SSH and some of the
files they use or create.
| SSH protocol 1 | SSH protocol 2 |
| | OpenSSH | SSH2 |
| calling sequence: | ssh [-X] user@host | ssh2 [+x] user@host |
| scp user@host:remote_file local_file |
scp2 user@host:remote_file remote_file |
| | sftp2 user@host |
| directory: | ~/.ssh | ~/.ssh2 |
| identity(.pub) | id_dsa(.pub) | id_dsa_1024_a(.pub) |
| authorized_keys | authorized_keys2 | authorization |
| | | key1.pub |
| | | key2.pub |
| | | ... |
| initialisation: | ssh-keygen | ssh-keygen -d | ssh-keygen2 |
To convert an OpenSSH DSA key to SSH2 format, you need to run
ssh-keygen -e -f ~/.ssh/id_dsa.pub > id_dsa_ssh2.pub
on the OpenSSH machine.
The short version
If user `turbu01' wants to be able to login as user `turbu43' without being
asked for the password, he/she should proceed as follows:
- Run
ssh-keygen
from any of the CGB pool machines. Press enter on any question you are
asked.
- Go to the directory .ssh and copy the file identity.pub
into the directory .ssh of `turbu43':
cd ~/.ssh
scp ./identity.pub turbu43@server2linux:identity_01.pub
where you replace `_01' by an underscore, followed by your user id number.
- Login as `turbu43':
ssh turbu43@server2linux
- concatenate the file you have just copied there to
.ssh/authorized_keys:
cat identity_01.pub >> .ssh/authorized_keys
Forwarding of X connections
If you want to use graphical programs on the target machine, you need
Ssh to forward X11 connections to your terminal.
With modern versions of Ssh, this is not the default
behaviour.
To activate X11 forwarding you can either explicitly start ssh with
ssh -X user@host
or ssh2 with
ssh2 [+x] user@host
Or, if you want X11 forwarding to be the default behaviour, you need to
insert the line
ForwardX11 yes
into your configuration file ~/.ssh/config or ~/.ssh2/config .