Passwordless SSH

One can use SSH connection without being prompted for a password. Instead of a password, in this method SSH uses a set of public and private keys for authentication. The public key is stored on the server, and only a client that presents the corresponding private key can establish a connection. At the CS department there are two distinct use cases where users use passwordless SSH:

  1. From one CS machine to another CS machine
  2. From your laptop to any CS machine
1. From one CS machine to another CS machine

This is a frequent situation where you are currently logged in to a CS machine and need to access another CS machine without the need to provide a password. This is particularly useful (and necessary) when running batch jobs or scripts, such as Hadoop or Slurm.

You need to perform the following just one time and it will be set up for all CS machines.

  • Connect to a CS machine via SSH
  • Create a public/private key pair using the following commands, and leave the pass-phrase empty when ssh-keygen prompts for it:
cd ~/.ssh
ssh-keygen -t rsa
cat id_rsa.pub >> authorized_keys

By using the option -t rsa, you are specifying that the key type should be RSA. Other options for key types include DSA, ECDSA, and ED25519. Choose the protocol that your SSH connection will utilize.

If you change your password because you think your account has been compromised, you should also run these commands again. (The attacker may have stolen your ssh keys.)

For further information see the man page for ssh-keygen.

2. From your laptop to any CS machine

Use this approach to SSH from your personal laptop/desktop into any CS machine without requiring a password input. Refer to the relevant tab for your operating system and follow the instructions provided.

    • Open a terminal
    • Before generating a new SSH key pair, it’s important to check if you already have an SSH key on your client machine so that you don’t overwrite your existing keys. You can run the following command to see if existing SSH keys are present:
    ls -la ~/.ssh
    • If you receive a “No such file or directory” or “no matches found” message or no files get listed by the command, it means that you don’t have an SSH key, and you can proceed with generating a new one as the next step. But if you do see existing keys, you have two options - use them and skip the next step or create a backup of the old keys and generate a new one.
    • To generate a new key-pair use the following command:
    ssh-keygen -t rsa

    You will be prompted to either accept the default file location and name or provide a new location/name. Accept the default file location and file name by pressing Enter key.

    Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
    • Afterward, the ssh-keygen command will prompt you to enter a secure passphrase. It’s your decision whether or not you want to use a passphrase, but doing so will add an extra layer of security. If you prefer not to use a passphrase, simply press Enter.
    Enter passphrase (empty for no passphrase):
    • To confirm that the SSH keys have been generated, you can use the following command to list your new private and public keys:
    ls ~/.ssh/id_*

    /home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub
    • Having generated an SSH key pair, in order to log in to a CS machine without a password, you must copy the public key to the CS machine you wish to connect. Use the following command to copy your public key to a CS machine. This can be any CS Linux machine to which you can login. You will be prompted to provide your CS password.
    ssh-copy-id your_CS_username@machine-name.cs.colostate.edu

    If, for some reason, the ssh-copy-id utility is not present on your local computer, you can use the following command to copy the public key:
    cat ~/.ssh/id_rsa.pub | ssh your_CS_username@machine-name.cs.colostate.edu "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

    • After you are authenticated, your public key will be added to the authorized_keys file in your CS user account, and the connection will be terminated.

    Once you have completed the aforementioned steps, you should be able to log in to the CS machine without being prompted for a password. To test this, simply attempt to log in to a CS machine via SSH.

    ssh your_CS_username@machine-name.cs.colostate.edu

    You should not be prompted for a password.

    • Open a Terminal
    • Before generating a new SSH key pair, it’s important to check if you already have an SSH key on your client machine so that you don’t overwrite your existing keys. You can run the following command to see if existing SSH keys are present:
    ls -la ~/.ssh
    • If you receive a “No such file or directory” or “no matches found” message or no files get listed by the command, it means that you don’t have an SSH key, and you can proceed with generating a new one as the next step. But if you do see existing keys, you have two options - use them and skip the next step or create a backup of the old keys and generate a new one.
    • To generate a new key-pair use the following command:
    ssh-keygen -t rsa

    You will be prompted to either accept the default file location and name or provide a new location/name. Accept the default file location and file name by pressing Enter key.

    Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
    • Afterward, the ssh-keygen command will prompt you to enter a secure passphrase. It’s your decision whether or not you want to use a passphrase, but doing so will add an extra layer of security. If you prefer not to use a passphrase, simply press Enter.
    Enter passphrase (empty for no passphrase):
    • To confirm that the SSH keys have been generated, you can use the following command to list your new private and public keys:
    ls ~/.ssh/id_*

    /home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub
    • Having generated an SSH key pair, in order to log in to a CS machine without a password, you must copy the public key to the CS machine you wish to connect. Use the following command to copy your public key to a CS machine. This can be any CS Linux machine to which you can login. You will be prompted to provide your CS password.
    ssh-copy-id your_CS_username@machine-name.cs.colostate.edu
    • After you are authenticated, your public key will be added to the authorized_keys file in your CS user account, and the connection will be terminated.

    Once you have completed the aforementioned steps, you should be able to log in to the CS machine without being prompted for a password. To test this, simply attempt to log in to a CS machine via SSH.

    ssh your_CS_username@machine-name.cs.colostate.edu

    You should not be prompted for a password.

    • Open a Terminal
    • Before generating a new SSH key pair, it’s important to check if you already have an SSH key on your client machine so that you don’t overwrite your existing keys. You can run the following command to see if existing SSH keys are present:
    cd C:\Users\your-laptop-username\.ssh\
dir
    • If you receive a “No such file or directory” or “no matches found” message or no files get listed by the command, it means that you don’t have an SSH key, and you can proceed with generating a new one as the next step. But if you do see existing keys, you have two options - use them and skip the next step or create a backup of the old keys and generate a new one.
    • To generate a new key-pair use the following command:
    ssh-keygen -t rsa

    You will be prompted to either accept the default file location and name or provide a new location/name. Accept the default file location and file name by pressing Enter key.

    Enter file in which to save the key (C:\Users\your-laptop-username\.ssh\id_rsa):
    • Afterward, the ssh-keygen command will prompt you to enter a secure passphrase. It’s your decision whether or not you want to use a passphrase, but doing so will add an extra layer of security. If you prefer not to use a passphrase, simply press Enter.
    Enter passphrase (empty for no passphrase):
    • To confirm that the SSH keys have been generated, you can use the following command to list your new private and public keys:
    cd C:\Users\your-laptop-username\.ssh\
dir
    • Having generated an SSH key pair, in order to log in to a CS machine without a password, you must copy the public key to a CS machine you wish to connect to. This can be any CS Linux machine to which you can login. Connect to a CS machine via SSH:
    ssh your_CS_username@machine-name.cs.colostate.edu
    • After logging in, we will check if ~/.ssh directory exists.
    ls .ssh
    • If it does not exist, we will create it
    cd; mkdir -p .ssh

    Note the required dot at the beginning of the directory name, which makes this a hidden directory

    • Now we will copy the public key. This will vary depending upon if the ~/.ssh directory was present or not to begin with. So follow either “A” or “B” accordingly.
      • A) If you created the ~/.ssh directory in the previous step:
        • To transfer the public key to the .ssh directory on the CS machine from your personal computer, use the following command on the command line. 
          scp .ssh/id_rsa.pub your_CS_username@machine-name.cs.colostate.edu:~/.ssh/authorized_keys
        • If you renamed your key from id_rsa.pub, make sure to adjust the filename accordingly:
      • B) If there is already an authorized_keys file in your CS home directory, it’s crucial to append the new key to the file instead of overwriting it.
        This ensures that existing entries don’t lose access accidentally. To do this, first copy the file to the CS machine. Then, on the CS machine, use the cat command to append the new key to the existing file.
        • On your laptop: 
          scp .ssh/id_rsa.pub your_CS_username@machine-name.cs.colostate.edu:~/.ssh/id_rsa_personal.pub
        • On the CS machine: 
          cat .ssh/id_rsa_personal.pub >> .ssh/authorized_keys
rm .ssh/id_rsa_personal.pub
    • Make sure the permissions look good, if not correct them with the following commands:
    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

    Once you have completed the aforementioned steps, you should be able to log in to the CS machine without being prompted for a password. To test this, simply attempt to log in to a CS machine via SSH.

    ssh your_CS_username@machine-name.cs.colostate.edu

    You should not be prompted for a password.

    Updated on 01 Mar 2021