Monday, November 06, 2006

Setting up Completely Passwordless Bi-Directional SSH

If you have two machines and you want to be able to ssh from "local" to "remote" without using a password at all, do the following, where $local is a command-prompt on the local machine and $remote is a prompt on the remote machine. Replace the words REMOTE and LOCAL with the actual network names of the machines:
$local ssh-keygen -t dsa
$local scp ~/.ssh/id_dsa.pub REMOTE:.
$remote cat ~/id_dsa.pub >>~/.ssh/authorized_keys
$remote ssh-keygen -t dsa
$local scp REMOTE:.ssh/id_dsa.pub .
$local cat ~/id_dsa.pub >>~/.ssh/authorized_keys
At this point you should be able to:
$local ssh REMOTE
without a password, you may be prompted to accept the fingerprint of the other machine. Do so. Then in the remote shell:
$remote ssh LOCAL
This may also generate a fingerprint-acceptance message. Just accept it.

You can also delete the id_dsa.pub files in the login directory of each machine. Do not copy the id_dsa (without the .pub extension) this is your private key and the connection is only as secure as that file. If someone has the file, they can impersonate you. This is also why some people recommend supplying a passphrase when running ssh-keygen and then using ssh-agent provide similar behavior, but with the need to enter your passphrase once per session.

No comments: