Using SSH without typing passwords
Send corrections/additions to email@example.com
It is possible to set up SSH so that you can login or copy files without
repeatedly typing your password. The setup requires several steps, but
it is very convenient, especially if you are using other computers in
addition to ours and need to transfer files back and forth.
- Run "ssh-keygen -t rsa" on one machine and follow the prompts. You
will be asked for a passphrase; this can be your normal password. A
blank passphrase is allowed but is not recommended.
- Create a file ~/.ssh/config containing
- If you do use different user names on different machines, then for each
host add to the end of ~/.ssh/config lines like
Alternatively you can use the syntax "ssh remoteuser@remotehost".
- cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys .
- Check the permissions: if they are wrong, the agent may fail
silently. Files ~/.ssh/id_rsa and the optional files ~/.ssh/config and
~/.ssh/id_dsa must be mode 600 (-rw-------). If in doubt, do
chmod -R 700 ~/.ssh
(since the directory also needs to be executable by you).
- Start your window manager from ssh-agent. This is automaticly set up
in Debian but not in RedHat. The commands to do this, given below,
should be put both in ~/.Xclients, which should be executable, and in
~/.xinitrc. (For fvwm2 both files should contain (assuming the standard
exec /usr/bin/ssh-agent /usr/bin/X11/fvwm2
For KDE they should contain
exec /usr/bin/ssh-agent /usr/bin/startkde
For Gnome they should contain
exec /usr/bin/ssh-agent /usr/bin/gnome-session
If you use several systems with different window managers or with
commands in different places, you should add the appropriate tests using
/bin/sh syntax. If any files are not found, you will not be able to
login except in command line or failsafe mode, so you should check
- Copy ~/.ssh to all your machines, i.e., "scp -r .ssh user@remote:" .
This is not necessary if you are only using quark and our workstations
since they all share the same file system.
- Do not do use xhost or set the DISPLAY variable anywhere. DISPLAY is
set automatically by SSH, and no other value will work properly.
- Login as usual, so your window manager is started from ssh-agent.
- In any window type "ssh-add" and type your passphrase. This
authenticates you to ssh-agent for this login session.
If you put "ssh-add" in your startup files, you will automatically be
prompted for your passphrase at login. For example, if you start fvwm
in .xsession put the lines
if [ -x /usr/bin/ssh-add ]; then
in .xsession before calling fvwm.
With KDE you can put a link to ssh-add in ~/.kde/Autostart
With gnome, go to the gnome control center and select session
properties. Then select "startup programs", "Add...", and insert
- Then you can use ssh, scp, etc., to any remote systems to which you
have copied the files in ~/.ssh, e.g.
scp somefile remotename@remotehost:somedir
scp remotename@remotehost:somefile .
No additional passwords should be needed.
- To tunnel through the firewall via quark fairly transparently, alias
something (or make a button) on your outside machine to execute (all on
one line; you need the -t )
ssh -t quark.phy.bnl.gov ssh firstname.lastname@example.org
Additional SSH information from the Physics Department is available