HOWTO: Passwordless SSH with Single Signon

From Sabayon Wiki
Revision as of 13:31, 26 February 2014 by Zetok (talk | contribs) (Emerge Stuff: correct section name)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


If you work with multiple *nix-based machines via ssh, you are probably tired of constantly having to enter your password every time you want to access another box. There is a secure way to allow you to access every machine, that you have ssh access to, without having to enter another password (other than the one you signed on with originally.)

This is actually quite simple to do, you basically just create a public/private key pair to authenticate yourself to your other machines, then have PAM spawn an agent to load your keys after you logon, providing a single signon solution to accessing all your remote machines. This guide will walk you through setting this up.

Equo Stuff

First of all, we are going to need the pam_ssh module. You may already have this installed, if not equo it. I'm going to assume you already have openssh installed, as every system should.

# equo install pam_ssh 

Create Key Pair

Now we need to create the key pair to authenticate yourself across the network. To do so, run this as your regular user.

WARNING: This should NOT be done as root, and you should never, ever ssh using the root account
$ ssh-keygen -t dsa 

This will ask where to save the file, just press enter as the default is what we want.

After that it will ask for the passphrase you want to use. It is important to set the passphrase to the exact same password as your normal logon password for this user. This is the password for the user on the current machine, not the one for other machines, even if they differ.

When that is done, two files should of been created ~/.ssh/id_dsa and ~/.ssh/ .

NOTE: It is very important to keep ~/.ssh/id_dsa private, it should be only readable by your user, to make sure of this, run this command:
$ chmod 600 ~/.ssh/id_dsa 

Distribute Public Key

Now we need to give all of our remote machines our public key so we can use it to authenticate. This is very simple to do, run the following command as your user for each remote system you want to setup the passwordless authentication for.

$ ssh-copy-id -i ~/.ssh/ [email protected] 

Configure PAM

We need to tell PAM to use our logon password to spawn an ssh-agent and load the rsa key we just made. There are two lines for we need to add, so your system-auth should look something like this:

File: /etc/pam.d/system-auth
auth       required
# Add this line here
auth       sufficient

auth       sufficient try_first_pass likeauth nullok
auth       required

account    required

password   required difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient try_first_pass use_authtok nullok md5 shadow
password   required

session    required
session    required
# Add this line to the end
session    optional


That's all we need to do, you should be able to logout and log back in with the ability to ssh to your remote hosts without a password (you may need to restart your login manager with "/etc/init.d/xdm restart")

WARNING: This will remove some aspect of physical security on whatever machine you set this up on. If physical security is a concern, please use a locking screensaver or logout whenever you leave your system unattended. This is something you should do anyway to protect your local machine from malicious passersby


If you are having problems creating or distributing your keys, take a look at [1] for more information on that task.

If you are still prompted for a password after completing this guide, there are a few files that you may need to check. Make sure both of these entries are set to "yes" on your remote hosts.

File: /etc/ssh/sshd_config
# Allow Identity Auth for SSH1?
 RSAAuthentication yes
 # Allow Identity Auth for SSH2?
 PubkeyAuthentication yes

Make sure these entries are in your local machine's config.

File: /etc/ssh/ssh_config
Host * 
Port 22
IdentityFile ~/.ssh/id_dsa

--C0nv1ct 13:39, 12 November 2007 (UTC)