Using SSH without typing passwords

It is possible to set up SSH so that you can login or copy files without repeatedly typing your password. The setup requires several steps, but it is very convenient, especially if you are using other computers in addition to ours and need to transfer files back and forth.

Setup Instructions

• Run "ssh-keygen -t rsa" on one machine and follow the prompts. You will be asked for a passphrase; this can be your normal password. A blank passphrase is allowed but is not recommended.

• Create a file ~/.ssh/config containing

  ForwardX11 yes
  ForwardAgent yes
  IdentityFile ~/.ssh/id_rsa
  

• If you do use different user names on different machines, then for each host add to the end of ~/.ssh/config lines like

  Host remotehost
  User remoteuser
  

  Alternatively you can use the syntax "ssh remoteuser@remotehost".

• cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys .

• Check the permissions: if they are wrong, the agent may fail silently. Files ~/.ssh/id_rsa and the optional files ~/.ssh/config and ~/.ssh/id_dsa must be mode 600 (-rw-------). If in doubt, do

  chmod -R 700 ~/.ssh 
  

  (since the directory also needs to be executable by you).

• Start your window manager from ssh-agent. This is automaticly set up in Debian but not in RedHat. The commands to do this, given below, should be put both in ~/.Xclients, which should be executable, and in ~/.xinitrc. (For fvwm2 both files should contain (assuming the standard Linux paths)

  #!/bin/sh
  exec /usr/bin/ssh-agent /usr/bin/X11/fvwm2
  

  For KDE they should contain

  #!/bin/sh
  exec /usr/bin/ssh-agent /usr/bin/startkde
  

  For Gnome they should contain

  #!/bin/sh
  exec /usr/bin/ssh-agent /usr/bin/gnome-session
  

  If you use several systems with different window managers or with commands in different places, you should add the appropriate tests using /bin/sh syntax. If any files are not found, you will not be able to login except in command line or failsafe mode, so you should check first.

• Copy ~/.ssh to all your machines, i.e., "scp -r .ssh user@remote:" . This is not necessary if you are only using quark and our workstations since they all share the same file system.

Usage Instructions

• Do not do use xhost or set the DISPLAY variable anywhere. DISPLAY is set automatically by SSH, and no other value will work properly.

• Login as usual, so your window manager is started from ssh-agent.

• In any window type "ssh-add" and type your passphrase. This authenticates you to ssh-agent for this login session.

  If you put "ssh-add" in your startup files, you will automatically be prompted for your passphrase at login. For example, if you start fvwm in .xsession put the lines

  if [ -x /usr/bin/ssh-add ]; then
    ssh-add $HOME/.ssh/id_rsa
  fi
  

  in .xsession before calling fvwm.

  With KDE you can put a link to ssh-add in ~/.kde/Autostart

  With gnome, go to the gnome control center and select session properties. Then select "startup programs", "Add...", and insert "ssh-add" there.

• Then you can use ssh, scp, etc., to any remote systems to which you have copied the files in ~/.ssh, e.g.

  ssh quark
  scp somefile remotename@remotehost:somedir
  scp remotename@remotehost:somefile .
  

  No additional passwords should be needed.

• To tunnel through the firewall via quark fairly transparently, alias something (or make a button) on your outside machine to execute (all on one line; you need the -t )

  ssh -t quark.phy.bnl.gov ssh username@internal.machine.name
  

Additional Information