Your concern

You want to automate tasks under Linux, and therefore need an SSH login as ʻUser a’ from Computer A, to Computer B as ʻUser b’ – without needing a password. Nevertheless the connection should be secure.

The principle

Use SSH with Public Keys. Instead of passwords, SSH then uses a pair of private and public keys to log in.

The procedure

First create a key pair on Computer A as user ʻUser a’. Make sure that this is saved without a passphrase (simply press Return twice):

a@A> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/a/.ssh/id_rsa):
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Now log in (this time still with a password) on Computer B as User b. There create the directory .ssh in the home directory of b (if this already exists, it's fine):

b@B> mkdir -p ~/.ssh

In the third and final step, b@B must allow access with the initially generated key. The safest way to do this from A is to use the following command (where you must enter the password one last time):

a@A> cat ~/.ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'

The public part of the key pair for User b is then appended to the .ssh/authorized_keys text file. Several keys are permitted in this file – one key per line.

If you have done everything correctly, it must now be possible to log in without a password. You can check this, for example, with:

a@A> ssh b@B hostname
B

Copying files with scp also works without entering a password.

Notes for other SSH versions

Depending on your version of SSH, you may need to consider the following:

  • The authorisation file may be called authorized_keys2.
  • The rights for .ssh may need to be 700 (chmod 700 .ssh)
  • The rights for .ssh/authorized_keys2 may need to be 640.

Security advice

With the procedure described here, the key on Computer A is not encrypted. An attacker who gains access to Computer A as User a will automatically have access to Computer B as User b.

Linux knowledge

Questi articoli sono stati scritti dal fondatore di Checkmk molti anni fa.
Tuttavia, sono ancora validi e quindi li conserviamo sul nostro sito web.
Da allora Mathias ha sviluppato il software di monitoraggio che oggi è Checkmk.

Scopri di più