Setting Up Password-less Logins with SSH

The purpose of this document is to describe how to setup password-less logins between your desktop/laptop/office computer (running GNU/Linux), Enigma (the main department server and the head node for the cluster). If you run Cygwin on a Windows machine, then you can treat your computer as a GNU/Linux machine. Cygwin uses OpenSSH. Similarly, recent Apple computers running OS X use OpenSSH and the instructions for GNU/Linux can be applied.

You can check the version of your SSH program by typing ssh -V. On a relatively recent GNU/Linux distribution, it should say something like

 
zooey:> ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

enigma:> ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

Create Public/Private Keys

Note: If you have already generated public/private keys via ssh-keygen then you can skip this section and go on to "Setting up Logins". If you run ssh-keygen you will overwrite any keys that were generated previously.

On each computer that you routinely use run the command ssh-keygen -t dsa. This command creates public and private cryptography keys that can be used for authentication/login. During this process you will be prompted with some questions. Just hit ENTER until you get your command prompt back. In particular, you don't need to specify a passphrase. Just leave it blank.

• On a GNU/Linux system (such as Enigma) running OpenSSH you will see the files id_dsa, your private key, and id_dsa.pub, your public key.

You can look at your public key (it is an ASCII file) but it will appear as as bunch of random characters.

[Note: If you absolutely must use SSH protocol 1, you can create keys using ssh-keygen -t rsa1. If you don't know what this means, don't worry about it.]

Setting up Logins

• I want to login to Enigma from my desktop/laptop/office computer (which is running GNU/Linux). First create your public/private keys using ssh-keygen -t dsa. If you've already done this once before you should NOT do it again. Change to your .ssh directory with cd ~/.ssh. There should be a file id_dsa.pub which is your public key file.

  Copy your public key to Enigma, using scp:

  scp id_dsa.pub enigma.biostat.jhsph.edu:.ssh/id_dsa-zooey.pub
  

  where you can replace zooey with the name of your computer. When running scp you will be prompted for your password. Now login to Enigma and cd to the .ssh directory. Add the contents of the public key file from your desktop/laptop/office computer to the authorized_keys file. If an authorized_keys file does not already exist, you will have to create one using a text editor.
  
  

  If you already have an authorized_keys file and want to add the new public key file without using a text editor, type (at the command line):

  cat authorized_keys id_dsa-zooey.pub > tmp_authorized
  mv tmp_authorized authorized_keys
  chmod 600 authorized_keys
  

  
  
  
• I want to login to Enigma from my Windows machine using commercial SSH (from ssh.org).
  1. ssh to Enigma using your ssh.org program (using your password)
  2. click on "edit" then "settings" then in the left panel "gobal settings" then "keys"
  3. click on "generate new"
  4. key type "dsa" key length "2048"
  5. give it a name, don't use a passphrase
  6. click on "upload public key"
  7. you want the directory "ssh2" and authorization file "authorization" (the default settings I think) it appends to your authorization file if it is already there
  8. click finish

  You want to set up Enigma as a profile where the authentication method is "public key" otherwise if you use "quick connect", make sure to change the "authentication method" box to "public key" .

Troubleshooting

If you set up passwordless login and you are still being asked for a password, then you may have to fix the permissions of your .ssh directory. This shouldn't happen on enigma, but it does happen occasionally on other machines. The sshd daemon requires that the .ssh be readable by user and group only, not by others. To fix the permissions, execute the following command on the machine that you are trying to log into:

	
		chmod o-rwx ~/.ssh