ssh no password problem

Chris G cl at isbd.net
Sun Aug 31 18:21:45 UTC 2008 

On Sun, Aug 31, 2008 at 11:30:51AM -0400, Jorge Luis wrote:
> On Sun, 31 Aug 2008, Adel ESSAFI wrote:
> 
> > I have followed exactly the instruction but still with the same problem.
> > 
> >   135  ssh-keygen -t dsa
> >   137  cd .ssh/
> >   139  cat id_dsa.pub >> authorized_keys2
> >   141  chmod 644 authorized_keys2
> > 
> > when I do ssh localhost , i get still this
> > 
> > oar at lion:~$ ssh localhost
> > *Enter passphrase for key '/home/oar/.ssh/id_dsa':*
> 
> Perhaps what you're looking for is ssh-agent, a program that provides a
> relatively secure way of storing your ssh passphrase.  You can link the
> agent to your GNOME login keyring so that your login password will
> suffice for subsequent ssh sessions.  There are different opinions on
> the matter, but I'm not usually comfortable with passphraseless ssh
> keys.  Ssh-agent gives you the best of both worlds.  Start with man
> ssh-agent.
> 
Quite right (your diagnosis that is), if you set up for ssh
'passwordless' login then it will ask for the passphrase key.

If you want *really* passwordless login then there are two ways to do
it, both (obviously) reduce security.

1 - As above, use ssh-agent, this allows you to enter the passphrase
once for a 'session'.  A session in this context usually means an X
session.  Thus the security of your login depends on how secure your X
session is, if someone else can use your computer screen (while you're
eating lunch or whatever) they can get to your ssh logins.

2 - When you create the ssh key enter a NULL passphrase.  With a NULL
passphrase you will not get prompted for a passphrase key when you do
an ssh login and it will be totally passwordless.  Similar security
issues apply, anyone who can login as 'you' to the client ssh machine
will be able to login to the remote machine as you using ssh.

Thus, basically, if your machine is reasonably physically secure (e.g.
a home machine and you trust the rest of the family) it's not
unreasonable to use either of the above approaches.

-- 
Chris Green

More information about the ubuntu-users mailing list