[auton-users] using SSH keys to avoid typing passwords

[Dan Pelleg]

This is a short guide to using SSH key pairs. If you do it right, it will
let you log into many machines without typing (almost) any
passwords. Unlike the way good ol' rsh used to do it, this is done securely
with public-key cryptography and is similarly very convenient once you set
it up. I'm posting this so we have it in the mailing-list archive and
hopefully one day it'll find its way to the web docs.

To start off, you need to generate a key, which is divided into
two parts: private and public. You need to guard the private one
very carefully - giving it to someone is like giving them your
UNIX password. The public half, on the other hand, isn't as
critical.

What we'll do is use our primary work machine (say, your
office desktop or your home machine) to generate a key pair.
Then we put copies of the PUBLIC key on any machine we want
to LOG IN TO. So it'll be, say, all of the lab's servers.

After this one-time setup, every time you log in to your primary work
machine, you can issue a command that says "I want to be able to use this
private key here so I'll be granted access to any machine that has its
public counterpart". You do this once (meaning once a day, if you log in
every day). After doing that you'll be able to ssh or scp to any accepting
machine and it'll work without asking for your password.

Details:

 - To generate the key-pair (you only need to do this once,
on your primary work machine):

Type:
ssh-keygen -t rsa

Just hit "enter" when it asks which file to store it in. It will
also ask for a password. I recommend choosing a good password
and typing it in. However, it will not insist on it being
non-empty. Empty passwords are a little less secure, and their
corresponding keys can be stolen if the machine is broken into.
So my advice is to use a meaningful password unless you are the
only one with root/administrator access to this machine AND you make
a continuous effort to keep it secure. Personally, I don't
use empty passwords for remote shell logins. Also see a note below
regarding AFS.

When ssh-keygen is done it will save the private key in ~/.ssh/id_rsa
and the public key in ~/.ssh/id_rsa.pub

As we said, we need to put the PUBLIC key on the remote
machine. Let's pretend it's lazy.auton.cs.cmu.edu:

-type:
scp .ssh/id_rsa.pub  lazy.auton.cs.cmu.edu:

(you will have to type your NIS password here like
you always did - the thing is not working yet!)

Now, to set things up on lazy: log into lazy (again,
using your NIS password) and create the needed files:

mkdir .ssh
chmod 700 .ssh
mv id_rsa.pub .ssh/authorized_keys2
chmod 600  .ssh/authorized_keys2


There, almost done. From this point on these are the steps
you need to perform EVERY DAY:

- you log into your primary work machine
- type:
eval `ssh-agent`

note that these are *backticks*
- type:
ssh-add .ssh/id_rsa
- type the password you gave to the key generator above (if
it was empty, you won't need to)