Password-free login with SSH

SSH (Secure Shell) is a replacement for telnet/rsh, which is much more secure, as it does not, e.g., transmit passwords as plaintext over the network. For this reason, many computers (in particular large machines, which are popular targets for hackers) allow access only via ssh.

By default, ssh asks you for your password, whenever you use it to login onto another machine. However, you can set things up in such a way that the login works without this --- this does not compromise security.

The different flavours of ssh

The issue is unfortunately complicated by the fact that there are different versions and even different vendors of ssh, who treat the setup differently:
is an older version of the ssh program. On some systems, the program is simply what you get if you type `ssh'; on other systems, you have to type `ssh1'.
is a more recent version which uses a protocol different from ssh1. On some systems, you have to type `ssh2' to get this version of ssh.
The two different brands of ssh are
  1. The commercial version. If you have the commands `ssh1' and `ssh2', this is what you have.
  2. OpenSSH. This is a free implementation of ssh and uses the single command `ssh' only. If you want protocol 2, you use the flag `ssh -2'.
You can use the command
  ssh[1|2] -v
to find out which version(s) of ssh you are using, where `ssh[1|2]' stands for any of `ssh', `ssh1', `ssh2'.

Setting up ssh

Before you start using ssh on a new machine, you should run
For ssh2, the command is
Note that, for the version 3.0 of ssh2, which is installed on the pool, you have to create the file ~/.ssh2/idendtification containing the single line
  IdKey   id_dsa_1024_a
-- this is supposedly a bug in this version, since older versions create this file automatically when you run ssh-keygen2.

ssh-keygen[2] creates a directory ~/.ssh (ssh1 and OpenSSH) of ~/.ssh2 (ssh2), which contains a private-public pair of keys called `identity' and `' for ssh1 and OpenSSH; `id_dsa' and `' for OpenSSH (if you use `ssh-keygen -d'); and `id_dsa_1024_a' and `' for ssh2. The public files are the ones you have to copy from machine A, where you have run ssh-keygen[2] to machine B if you want to be able to login onto B without being asked for your password. What exactly you have to do differs strongly with the different versions of SSH:


On machine B, copy the content of machine A's `' to the file `~/.ssh/authorization'


If you use protocol 1, you do the same as for ssh1. For protocol 2, you copy the content of machine A's `' to the file `~/.ssh/authorization2'


You copy the file `' from A into B's directory `~/.ssh2', preferably under a more specific name like `'. Then you add the line
to the file `~/.ssh2/authorization'.

SSH2 on B, OpenSSH on A

In this case, you need to convert the public key before you proceed as described above for SSH2. See the note below on how to do this.

Here is an overview over the different flavours of SSH and some of the files they use or create.

SSH protocol 1 SSH protocol 2
calling sequence: ssh [-X] user@host ssh2 [+x] user@host
scp user@host:remote_file local_file scp2 user@host:remote_file remote_file
sftp2 user@host
directory: ~/.ssh ~/.ssh2
identity(.pub) id_dsa(.pub) id_dsa_1024_a(.pub)
authorized_keys authorized_keys2 authorization
initialisation: ssh-keygen ssh-keygen -d ssh-keygen2

To convert an OpenSSH DSA key to SSH2 format, you need to run

  ssh-keygen -e -f ~/.ssh/ >
on the OpenSSH machine.

The short version

If user `turbu01' wants to be able to login as user `turbu43' without being asked for the password, he/she should proceed as follows:
  1. Run
    from any of the CGB pool machines. Press enter on any question you are asked.
  2. Go to the directory .ssh and copy the file into the directory .ssh of `turbu43':
      cd ~/.ssh
      scp ./
    where you replace `_01' by an underscore, followed by your user id number.
  3. Login as `turbu43':
      ssh turbu43@server2linux
  4. concatenate the file you have just copied there to .ssh/authorized_keys:
      cat >> .ssh/authorized_keys

Forwarding of X connections

If you want to use graphical programs on the target machine, you need Ssh to forward X11 connections to your terminal. With modern versions of Ssh, this is not the default behaviour. To activate X11 forwarding you can either explicitly start ssh with
  ssh -X user@host
or ssh2 with
  ssh2 [+x] user@host
Or, if you want X11 forwarding to be the default behaviour, you need to insert the line
  ForwardX11 yes
into your configuration file ~/.ssh/config or ~/.ssh2/config .