blob: 1a7326c87e7c06afada3dc53ffd0baa118c6abcd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
#use wml::debian::template title="How to set up ssh so you aren't asked for a password" BARETITLE=true
<p>You can create a RSA authentication key to be able to log into a remote
site from your account, without having to type your password.</p>
<p>Note that once you've set this up, if an intruder breaks into your
account/site, they are given access to the site you are allowed in without a
password, too! For this reason, this should <strong>never</strong> be
done from root.</p>
<ul>
<li>Run <code>ssh-keygen(1)</code> on your machine, and just hit
enter when asked for a password.
<br>
This will generate both a private and a public key. With older
SSH versions, they will be stored in
<code>~/.ssh/identity</code> and
<code>~/.ssh/identity.pub</code>; with newer ones, they
will be stored in <code>~/.ssh/id_rsa</code> and
<code>~/.ssh/id_rsa.pub</code>.</li>
<li>Next, add the contents of the public key file into
<code>~/.ssh/authorized_keys</code> on the remote site (the file
should be mode 600).
<br>
If you are a developer and you want to access debian.org systems with
such a key, it's possible to have the developer database propagate
your key to all of the debian.org machines. See the
<a href="https://db.debian.org/doc-mail.html">LDAP gateway
documentation</a>.</li>
</ul>
<p>You should then be able to use ssh to log in to the remote server
without being asked for a password.</p>
<p><strong>Important:</strong> Note that everyone that has read access
to the private key file can use it to have the same passwordless
access to the remote site. This includes any person that has root
access to your local machine. Therefore it's strongly recommended
that you use a passphrase for your private key if you are not the only
root on your machine. You can use <code>ssh-agent(1)</code> and
<code>ssh-add(1)</code> to type your passphrase only once for all uses
of a specific key in a session. You can automatically load all your
keys in the agent by adding the following lines to your
<code>~/.xsession</code> file:</p>
<pre>
\# if use-ssh-agent is specified in /etc/X11/Xsession.options
\# (this is the default) then you need only the second line
\# eval ssh-agent
ssh-add <filename-of-ssh-key>
</pre>
<p>The <code>ssh-askpass</code> package must be installed in order to
run <code>ssh-add</code> without a terminal.</p>
|