Q. How do you set-up SSH with DSA public key authentication? I have Linux laptop called tom and remote Linux server called jerry. How do I setup DSA based authentication so I don’t have to type password?
A. DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:
#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)
First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key Enter passphrase (empty for no passphrase): myPassword Enter same passphrase again: myPassword Your identification has been saved in /home/vivek/.ssh/id_dsa. Your public key has been saved in /home/vivek/.ssh/id_dsa.pub. The key fingerprint is: 04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission
Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry
Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?
Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp
You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?
Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:
Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)
Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.
If you are using GUI such as Gnome use the command:
$ ssh-askpass
OR
$ /usr/lib/openssh/gnome-ssh-askpass
To save your passphrase during your GNOME session under Debian / Ubuntu, do as follows:
a) Click on System
b) Select Preferences
c) Select Session
d) Click on New
e) Enter "OpenSSH Password Management" in the Name text area
f) Enter /usr/lib/openssh/gnome-ssh-askpass in the command text area.
g) Click on close to save the changes
h) Log out and then log back into GNOME. After GNOME is started, a dialog box will appear prompting you for your passphrase. Enter the passphrase requested. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- My 10 UNIX Command Line Mistakes
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email FAQ to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: 05/22/07
{ 27 comments… read them below or add one }
Try ssh-copy-id to copy your keys ,,,
Vivek,
A small suggestion. Instead of
scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
It is better to copy it in some other name and append the contents of the authorized_keys file with the contents of the id_dsa.pub file.
This way if there are any existing keys in the file, it will not get overwritten.
ricc
Kiran and ricc.
Good suggestions.
Appreciate your posts!
Hi,
I am trying to connect from a UNIX machine to a Windows SSH server without a password entry.
I tried the steps above but I have no luck in doing it.
Any suggestions?
It works as fine as clear it is…..
Thanks
I have tried this several times. Doesent seem to work. What am I missing. Can some one try it out on the same m/c with two different a/cs and confirm it again.
Thanks. Useful.
Hi Experts,
password less login information is really helpful however it does not fullfil my requirement.
I have more than 200 machines in my network running linux and I want to be able to ssh to each one of them using thier IP address from a file and then run some commands inside each and then log out.
Now, using key-gen is not practical for me and I do not want to install the “expect” utility due to some reason.
Please tell me if there is any way to supply ssh password using bash scripting? I know supplying the password in script might not be very secure, but still I want to do it this way. I shall be greatful to any help.
Regards, R.
well there is no such need of doing login and executing commands u can just send the commands to the other machines
eg
ssh -i publicKeyFile 192.168.XXX.XXX “poweroff”
just put this in loop and put some variable for XXX values which has to be modified in each iteration based on your network IP addresses.
This command needs to be executed on Tom. It think that’s where some might have gotten confused when trying to do no password.
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Thank U so Much for nice Post
Really very useful & Cristal clear explanation…!
Thanks for sharing your knowledge…!
In the 3rd step, before you execute the following command:
scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
you need to make sure that the home dir in jerry (remote computer) has a .ssh folder. Other wise, you need to create this folder in the remote computer before executing the above command.
Dear Experts,
I have one HP and other Solaris, say hp1 and sol1
Created DSA key in hp1 populated public key to sol1 and appended in authorized_keys
But while I am doing ssh it is asking password.
During troubleshooting it was showing the following output:
bash$ sftp -v -v -v m1user@sol1
Connecting to sol1…
OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005
HP-UX Secure Shell-A.04.30.000, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: RNG is ready, skipping seeding
debug2: ssh_connect: needpriv 0
debug1: Connecting to sol1 [10.23.45.67] port 22.
debug1: Connection established.
debug1: identity file /batch/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /batch/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type ‘—–BEGIN’
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type ‘—–END’
debug3: key_read: missing keytype
debug1: identity file /batch/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1
debug1: no match: Sun_SSH_1.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2-hpn
debug2: fd 5 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellm
an-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 142/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /batch/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /batch/.ssh/known_hosts
_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host ’sol1′ is known and matches the RSA host key.
debug1: Found key in /batch/.ssh/known_hosts:1
debug2: bits set: 514/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /batch/.ssh/known_hosts/id_rsa (0)
debug2: key: /batch/.ssh/known_hosts/id_dsa (4002ecf8)
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publicke
y,password,keyboard-interactive
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publick
ey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /batch/.ssh/known_hosts/id_rsa
debug3: no such identity: /batch/.ssh/known_hosts/id_rsa
debug1: Offering public key: /batch/.ssh/known_hosts/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publicke
y,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
Please provide your feed back
Thanks in advance
Nazoor
I’ve set up ssh with DSA public key authentication to be able to scp without a password. I’ve got a script that I run from a Red Hat Linux box (v.4 64-bit) that uses scp to copy a couple of files to a Solaris box, which works fine without a password. (It also works copying to a Mac OSX box.) However, the exact same script doesn’t work when I try to call it from a cron job.
The relevant differences of the very verbose log files from (1.) the successful commmand-line scp and (2.) the failed cron job scp are below. Do you have any ideas of how to get my cron scp job to work? I notice that the unsuccessful script run from the cron job looks in .sssh/identity and .ssh/id_rsa first (for a private key?) before looking in .ssh/id_dsa. Though the script run from the cron job eventually accepts the public key, the PEM_read_PrivateKey fails immediately thereafter and the copy fails. Conversely, and successfully, the same script called from the command line checks in .ssh/id_dsa first and succeeds with the publickey authentication (without ever looking at .ssh/identity and .ssh/id_rsa twice!) I’d very much appreciate any help you may be able to lend. Thanks very much.
1. Successful scp called from command-line script
2. Unsuccessful scp called from cron-job script
Make sure your remote ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 file is in correct format and there is no additional string attached / appended after a public key (except another public key).
@ Milan:
I had the same problem but was able to rectify it by adding option -i to my scp command and pointing it to my user’s identify file like so:
scp -B -i /home/my_user filename_to_transfer.txt my_user@remote.host:
I think that without specifying my_user’s identify file, it default’s to the cron user’s which would could an authentication failure.
Hope this helps.
Paul,
Thanks for the suggestion, which I’m guessing just might do the trick. I think I tried using -B without luck but I didn’t try -i. Coincidentally, I finally resolved the impasse just yesterday by giving up on DSA and switching to RSA authentication! Thanks again for the very relevant help.
I have followed these steps to the letter, and I am still getting these errors:
Please help!!
I installed OpenSSH on my windows PC (jerry here).
I have a unix box (tom here).
I’ve done all the steps mentioned here.
But when i’m trying to sftp from the unix box to the Windows PC, it is again asking for password.
Is this because the remote server is a windows pc with openSSH installed on it?
Kindly help.
I trying to login from a solaris box(local machine : daytona) to solaris box(remote machine : voltest).
my username in daytona : bpadhy
i tried to login to the voltest using the below command
sftp beaadm@10.188.45.136
but it still asks for password.
Can anyone help me in this regard.
Hi, I followed the exact steps and in the same session I was able to do a password less login. But when I opened a new session, I couldnt do it until I again typed:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Do I need to type this in every new session? If yes, then it doesnt serve the purpose.
@Neetu, use keycahin.
Excelent tip, thanks!
It should be pointed out that the tutorial, as is, will NOT work with backup scripts which
is probably the primary reason many of us came to this link. This will allow you to log in
during a session without a password.
There needs to be clear instructions on scripting and backups using keys for this tutorial
to ROCK. Great information and I don’t mean to be course or an ungrateful bastard, this is a great site …however. Do we need keychain for this functionality? I hope the answer is no because keychain is a PITA.
Thanks ~
Bub
Hi I have two machine from machine 1 Ima trying to do password less ssh to machine 2, generated a dsa key on machine 1 user/.ssh folder. I got private and publick dsa keys there. copied the content of pub key file and paste it to machine2 user/.ssh folder authorized_key file in the end.
but now when trying to login from machine 1 to machine 2 it asks for password, verbose mode gives below in short.
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /var/smarthkp/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Offering public key: /var/smarthkp/.ssh/id_dsa_s3c
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Trying private key: /var/smarthkp/.ssh/identity
debug3: no such identity: /var/smarthkp/.ssh/identity
debug1: Trying private key: /var/smarthkp/.ssh/id_rsa
debug3: no such identity: /var/smarthkp/.ssh/id_rsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
Please help….
I followed the procedure and its perfect.
I have another question.
Requirements: I want to assign my root account with a DSA key so that only with that specific DSA
can use the root account
How can I achieve this?
Thanks