How to: Make a passwordless ssh connection between chpc( and hci(
Suppose after we log into chpc , we want to "ssh" to hci without password.
1. Create RSA keys (on chpc).
hello@chpc:MY_HOME>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key ($HOME/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): MY_PASSPHRASE
Enter same passphrase again: MY_PASSPHRASE
Your identification has been saved in $HOME/.ssh/id_rsa.
Your public key has been saved in $HOME/.ssh/
The key fingerprint is:
ad:9e:ab:f9:e1:1a:a4:85:16:3b:24:5f:35:b6:76:a7 user@machine
Now we have two files under $HOME/.ssh, "id_rsa" is private key, "" is public key.
2. Transfer the public key to world@hci's home directory (on chpc)
hello@chpc:$HOME>scp .ssh/
3. Append the to aothorized keys (on hci)
world@hci:$HOME>cat >>authorized_keys
4. Make the hci accept RSA key style connection.
By default, this features is off.
We need to modify the following line in /etc/ssh/sshd_config (root privilege is required)
#RSAAuthentication yes
#PubkeyAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
Then we need to refresh the ssh service.
>/etc/init.d/sshd restart
5. Make a test (on chpc)
>ssh -2
Enter passphrase for key '$HOME/.ssh/id_rsa':
Here we need to input the passphrase of the private key, it is . If everything goes well, we will see the welcome message:
Welcome to Ubuntu!
6. Now we need to eliminate the "passphrase" step using ssh-agent and ssh-add (on chpc)
ssh-agent are used to buffer the passphrase and keep it in memory, we we do not need input passphrase next time.
#start ssh-agent
>eval `ssh-agent`
#add passphrase
Enter passphrase for chpc:$HOME/.ssh/id_rsa: MY_PASSPHRASE
Identity added: chpc:$HOME/.ssh/id_rsa
7. Make a test again (on chpc)
>ssh -2
Welcome to Ubuntu!
8. we can test scp (on chpc)
>scp hello.txt
To avoid run "eval `ssh-agent`" and "ssh-add" every time after we log into the chpc, we can append eval `ssh-agent` to ~/.bash_profile. So it will start automatically next time. However, we still need to run 'ssh-add' manually after each log in to register the passphrase for security. if passphrase is empty, we do not even need ssh-agent and ssh-add. But this may bring security risk to the private key.
we can also use "keychain" as the frontend of ssh-agent, so we do not have to create ssh-agent for each login. With keychain, only one ssh-agent is in service no matter how many consoles we open.
>tar -jxvf keychain-2.7.1.tar.bz2
>cd keychain-2.7.1
No comments:
Post a Comment