Checkmk 2.0 is here! See what's new.

Your concern

You want to automate tasks under Linux, and therefore need an SSH login as ʻUser a’ from Computer A, to Computer B as ʻUser b’ – without needing a password. Nevertheless the connection should be secure.

The principle

Use SSH with Public Keys. Instead of passwords, SSH then uses a pair of private and public keys to log in.

The procedure

First create a key pair on Computer A as user ʻUser a’. Make sure that this is saved without a passphrase (simply press Return twice):

a@A> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/a/.ssh/id_rsa):
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Now log in (this time still with a password) on Computer B as User b. There create the directory .ssh in the home directory of b (if this already exists, it's fine):

b@B> mkdir -p ~/.ssh

In the third and final step, b@B must allow access with the initially generated key. The safest way to do this from A is to use the following command (where you must enter the password one last time):

a@A> cat ~/.ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'

The public part of the key pair for User b is then appended to the .ssh/authorized_keys text file. Several keys are permitted in this file – one key per line.

If you have done everything correctly, it must now be possible to log in without a password. You can check this, for example, with:

a@A> ssh b@B hostname
B

Copying files with scp also works without entering a password.

Notes for other SSH versions

Depending on your version of SSH, you may need to consider the following:

  • The authorisation file may be called authorized_keys2.
  • The rights for .ssh may need to be 700 (chmod 700 .ssh)
  • The rights for .ssh/authorized_keys2 may need to be 640.

Security advice

With the procedure described here, the key on Computer A is not encrypted. An attacker who gains access to Computer A as User a will automatically have access to Computer B as User b.

Linux knowledge

These articles were written by the founder of Checkmk many years ago.
They are still valid though and thus we keep them on our website.
Mathias has since then developed a monitoring software called Checkmk

Find out more