How to Setup Password-less SSH Login using RSA/DSA Authentication in Fedora 11

The Goal of this tutorial

Get a secure, encrypted connection to a remote machine without typing in a password.

What is OpenSSH ?

OpenSSH is a secure way of connecting to remote computers and transfering files. The OpenSSH suite includes the following programs (among others)

  • scp - think ftp
  • sftp - think ftp
  • ssh - think telnet
  • ssh-keygen - used to generate key pairs
  • sshd - the ssh server

SSH and scp/sftp can are used to replace telnet and FTP. This is necessay because FTP and telnet transfer your password over the wire in the clear. OpenSSH protects your network traffic through the use of encryption.

SSH Method of Authentication

  • Password-based Authentication - Server querys the client for the account password on the remote host. This is not the ideal method of authentication if you have a lot of remote servers and you need to connect to it several times a day. It is very inconvenient if you have to type the password each time you need to connect to these servers.
  • Public Key Based Authentication - Public key based method requires you to generate a key pair on your local machine and copy the public key to any hosts that you want to connect to. The key pair consists of two keys: a public key and a private key. These keys are saved in your ~/.ssh directory. You should never give away your private key. You can look at the key pair as your electronic identity.

Generating the RSA key.

We will use the ssh-keygen command to generate key.

ssh-keygen

By default ssh-keygen command will generate RSA key. The command will ask you for a pass phrase, just type enter if you don't want to put pass phrase. Putting a pass phrase in your key is more secure though.

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
37:fe:ed:4b:2b:e1:8a:f0:c7:5c:76:b2:51:0b:be:b0 root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|            . .  |
|        S o. o . |
|         o..B o  |
|      .  o.* B.  |
|       o .E.=o . |
|        o....o=. |
+-----------------+

Then upload your rsa public key in the host you want to connect without password using this command:

ssh-copy-id user@host

you will see the following message:

Now try logging into the machine, with "ssh 'user@host'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

You can login to that remote machine securely without typing any password.

Generating DSA key

Generating DSA key is slightly different from the generating the RSA. You will use the ssh-keygen command however you need to specify which type of authentication method you want to use using -t option.

ssh-keygen -t dsa

You will see below that the command generate file id_dsa and id_dsa.pub files.

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
b5:82:9b:f3:cd:ff:d3:90:ef:f1:cd:35:63:0e:af:6b root@localhost.localdomain
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|                 |
|          .      |
|       . . .     |
|      . S .    . |
|       o .    o  |
|      +      . O.|
|       o o   E*.X|
|        . o.o++==|
+-----------------+

Then upload the dsa public key using the command below.

ssh-copy-id -i /root/.ssh/id_dsa.pub

you will see the following message below.

Now try logging into the machine, with "ssh 'user@host'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

You can now login to the remote host.