Difference between revisions of "HOWTO: Passwordless SSH with Single Signon"
Revision as of 18:37, 13 August 2009
If you work with multiple *nix-based machines via ssh, you are probably tired of constantly having to enter your password every time you want to access another box. There is a secure way to allow you to access every machine, that you have ssh access to, without having to enter another password (other than the one you signed on with originally.)
This is actually quite simple to do, you basically just create a public/private key pair to authenticate yourself to your other machines, then have PAM spawn an agent to load your keys after you logon, providing a single signon solution to accessing all your remote machines. This guide will walk you through setting this up.
First of all, we are going to need the pam_ssh module. You may already have this installed, if not emerge it. I'm going to assume you already have openssh installed, as every system should.
# emerge pam_ssh
Create Key Pair
Now we need to create the key pair to authenticate yourself across the network. To do so, run this as your regular user.
$ ssh-keygen -t dsa
This will ask where to save the file, just press enter as the default is what we want.
After that it will ask for the passphrase you want to use. It is important to set the passphrase to the exact same password as your normal logon password for this user. This is the password for the user on the current machine, not the one for other machines, even if they differ.
When that is done, two files should of been created ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub .
$ chmod 600 ~/.ssh/id_dsa
Distribute Public Key
Now we need to give all of our remote machines our public key so we can use it to authenticate. This is very simple to do, run the following command as your user for each remote system you want to setup the passwordless authentication for.
$ ssh-copy-id -i ~/.ssh/id_dsa.pub [email protected]
We need to tell PAM to use our logon password to spawn an ssh-agent and load the rsa key we just made. There are two lines for pam_ssh.so we need to add, so your system-auth should look something like this:
auth required pam_env.so # Add this line here auth sufficient pam_ssh.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session required pam_limits.so session required pam_unix.so # Add this line to the end session optional pam_ssh.so
That's all we need to do, you should be able to logout and log back in with the ability to ssh to your remote hosts without a password (you may need to restart your login manager with "/etc/init.d/xdm restart")
If you are having problems creating or distributing your keys, take a look at  for more information on that task.
If you are still prompted for a password after completing this guide, there are a few files that you may need to check. Make sure both of these entries are set to "yes" on your remote hosts.
# Allow Identity Auth for SSH1? RSAAuthentication yes # Allow Identity Auth for SSH2? PubkeyAuthentication yes
Make sure these entries are in your local machine's config.
Host * Port 22 IdentityFile ~/.ssh/id_dsa
--C0nv1ct 13:39, 12 November 2007 (UTC)