SSH/SCP WITHOUT A PASSWORD by Fred Ross; Last updated June 12, 2003 This document is not a step by step guide. It tells you what needs to be done, but not every step to do it. You must be able to log into the machine you want passwordless access to normally from the machine you want to access it from. The machine to be accessed will be called server.phys.net; the machine that will access it will be workstation.phys.net. These names have no significance. GLOBAL CONFIGURATION On workstation.phys.net make sure there is something that looks like: Host * ForwardAgent yes Protocol 2,1 in /etc/ssh/ssh_config. On server.phys.net, make sure you have a line RSAAuthentication yes in /etc/ssh/sshd_config. On reasonable machines these should already be set by default. If you're not the administrator in either place, they should be set for you, no matter what the default. PERSONAL CONFIGURATION All files in ~/.ssh should always be mode 600 (so when you finish these instructions, run "chmod 600 ~/.ssh/*" on both server.phys.net and workstation.phys.net. On workstation.phys.net, make sure you can ssh into server. server must be in the ~/.ssh/known_hosts file (sometimes known_hosts2). Execute the following command in ~/.ssh: sshkeygen -t rsa and hit enter at all three prompts to take the default settings (yes, you want an empty passphrase). This writes two files: id_rsa and id_rsa.pub. id_rsa is your private key authentication file; id_rsa.pub is the public key file you put on other machines to allow them to authenticate you. scp id_rsa.pub to server, then ssh there (you still need a password). On server, look in ~/.ssh. You need to have ssh'd somewhere from server, so if you haven't, do so now. You'll know if you have by the presence of ~/.ssh/known_hosts (sometimes known_hosts2). If you have known_hosts, then cat id_rsa.pub onto the end of ~/.ssh/authorized_keys; if you have known_hosts2, then cat id_rsa.pub onto the end of ~/.ssh_authorized_keys2. Most recent systems have dropped the 2 since SSH1 is long dead. Again, make sure everything is chmod'd 600 on both machines in ~/.ssh. Go try to login from workstation. It should login without a password prompt. If it doesn't your life's going to be annoying for a while.