FAQ: The previous FAQ outlined password-less ssh setup for a single account. Another scenario where password-less ssh can be set-up is on two distinct accounts. In this scenario, trust can be established one-way or two-way. Again, the question is: How can you set-up password-less ssh?
One-Way Trust. A very good application for this kind of set-up is one user account (username: user) and one application account (username: appl), where the user account is "trusted" by the application account.
Begin by generating the public and private key pair. Use ssh-keygen to generate keys. Just the same, do not use a passphrase for completely password-less logins to work.
user@host:~ > ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: e8:3a:ad:11:d5:c5:89:7c:32:d6:3f:62:61:12:43:df user@host
You should be seeing the following files inside the .ssh directory (take note of the permissions):
user@host:~/.ssh > ls -la total 17 drwx------ 2 user users 168 2008-09-09 14:42 . drwxr-xr-x 9 user users 688 2008-09-09 14:34 .. -rw-r--r-- 1 user users 622 2008-09-09 14:34 authorized_keys -rw------- 1 user users 1675 2008-09-09 08:40 id_rsa -rw-r--r-- 1 user users 396 2008-09-09 08:40 id_rsa.pub
With the public and private key pair generated, the contents of the public key (id_rsa.pub) need to be placed inside the authorized_keys file of the application account. First copy the public key over to the home directory of the application account (key in appl's password when asked):
user@host:~/.ssh > scp id_rsa.pub appl@remote:/home/appl Password: id_rsa.pub 100% 396 0.4KB/s 00:00
As user "appl", create the .ssh directory with permission 700 (drwx------). A safer and easier way to accomplish this is to generate the public and private key pair as well.
Then save the contents of user's public key to the authorized keys file.
appl@remote:~ > cat id_rsa.pub >> $HOME/.ssh/authorized_keys
On an initial set-up of password-less ssh the file id_rsa.pub can be copied to the file authorized_keys.
user@host:~ > cp id_rsa.pub $HOME/.ssh/authorized_keys
After doing the above steps, subsequent logins for user to appl (at host remote) will not ask for credentials. It will be password-less. One-way trust is established.
Two-Way Trust. As seen above one-way trust can be established by adding the contents of the user's public key to appl's authorized keys. To establish the two-way trust, appl's public key needs to be added to user's authorized keys -- the "reverse".
Generate a public and private key pair, if this has not been generated yet. Assuming that this was done in one of the steps above, all that needs to be done is to copy the public key to the home directory of user.
appl@remote:~/.ssh > scp id_rsa.pub user@host:/home/user Password: id_rsa.pub 100% 396 0.4KB/s 00:00
Likewise, save the contents of appl's public key to the authorized keys file.
user@host:~ > cat id_rsa.pub >> $HOME/.ssh/authorized_keys
Accomplishing the above steps establishes two-way trust between user and appl. If the accounts are in NIS (auto_home) or a centralized network share for home directories, trust between the accounts can be established from any machine.
In the next FAQ, the steps on password-less ssh from your Windows machine to your _nix machine will be outlined.