You can prevent ssh asking for a password by using a signature key. You first generate a key pair for your computer, then you copy the public part of it to the remote computer. From then on in, you'll be able to ssh (or scp) from your computer to the remote computer without specifying a password.
Generate the key pair
ssh-keygen -t dsa
The -t flag specifies the type, in this case the DSA algorithm. Other available types are rsa1 and rsa, which correspond to the RSA algorithm for the old SSH1 or newer SSH2 protocols. Avoid rsa1 unless you have to, because it's less secure, and stick with either rsa or dsa. It makes little difference for this purpose whether you use RSA or DSA (there is much debate about which is "better" - just do an Internet search for rsa vs dsa), but I tend to use DSA because it was designed for signing (it doesn't do encryption) and RSA keys are subject to some ridiculous US export restrictions.
ssh-keygen will prompt you for the location in which to store the key (just hit enter to use the default) and a password with which to encrypt the key. If you specify a password, then you'll be prompted for it when you ssh unless you set up an SSH agent to enter the password for you (see later).
File permissions
The keys are normally stored in the .ssh directory. Make sure that only your user has access to the directory and that the private keys inside the directory (e.g. id_dsa) can not be read by anyone else. It is ok for the public keys to be readable by others (but not writable) because you're going to distribute them anyway.
steph@local ~ $ ls -la .ssh
total 20
drwx------ 2 steph users 136 Nov 16 2006 .
drwxr-xr-x 78 steph users 3952 Apr 17 16:12 ..
-rw------- 1 steph users 1675 Nov 16 2006 id_rsa
-rw-r--r-- 1 steph users 397 Nov 16 2006 id_rsa.pub
-rw-r--r-- 1 steph users 5266 Apr 10 14:36 known_hosts
Copy the public key to the remote computer
On the remote computer, create a .ssh directory in your user's home directory (if it doesn't already exist). Make sure it is not accessible by anyone other than your user:
cd ~ mkdir .ssh chmod 700 .ssh
Copy the contents of your public key (e.g. id_dsa.pub) into a file called authorized_keys2 in this .ssh directory. Use a file called authorized_keys1 if you are using the old SSH1 protocol. You can put lots of different keys into this file - just put each key on its own line.
The public key will look something like this:
ssh-dss AAAAB3NzaC1kc3MAAACBAOfVBzkaTns0SzaghSestk/PPF2G0UWP+6f1qGcl6dz1jd78U+l67NZPWfJUYJRMrt21hHcDeUf/WEWL/lAV3PIyNgZ2VXYp8SIuVJy9WScN98mhVdZluUlfr8rUJaj/AjEd3qwC5cPXJcTXR98chC82TVqiTh/vMK0vH3hX6LHfAAAAFQDPfn+IhhhqocxDDIj+Fe87wHdHJwAAAIEAiGb80e4a/RuVIk20CMTQlBiKdxgvUvDacp0U/KNoSjk3KVMI3W2/6LpZHfWMdGKT9kV34vu5nXzt2Qpr0zMVgWzZZiY6x91EO00mXIzAKjybP6mF8D471MZiPjEIfyeKa0LNHGyHji3LLAyN6+HwaYo+GJ3x6G79NSR/+8XuCTYAAACBAMqZ18BEYDSYAwQfGdNuFWkBiJvvFdDn40NN9/P1LZi4oKi4W8GI3lau2/qHX4K+WneePkcLSkIYqyvmvzFGKBnXakF4MdOVF0dS1gDATKoZwYYVFQKRbs05qWQcUwUXVkgQpic5Huo1vN7zlQ7C6hf3bvW8zBiFDUfpiTONYc2L steph@local
Make sure this file is not writable by anyone but your user.
steph@remote ~ $ ls -la .ssh
total 12
drwx------ 2 steph users 4096 Apr 17 14:40 .
drwx--x--x 30 steph users 4096 Apr 17 14:40 ..
-rw------- 1 steph users 794 Apr 17 14:40 authorized_keys2
Now, if you created a key without a password, you should be able to ssh from your computer to the remote computer without being prompted for a password. If you created a key with a password, then you'll have to use an SSH agent to enter it for you...
SSH agent
The next step is to prime an ssh agent, which you can do using the following script. You'll have to input your key's password when it's primed, hence it's best to run this script automatically when your computer starts.
ssh_prime_agent.sh:
#!/bin/bash
#
# Creates an ssh-agent, writes ssh agent info
# to the file '~/.ssh-agent-info-`hostname`' and then prompts
# user for keys. Then any shell can use the agent
# by sourcing the contents of ~/.ssh-agent-info-`hostname`
# with the following command:
# . ~/ssh-agent-info-`hostname`
# Prime the SSH agent.
ssh_info_file=~/.ssh-agent-info-`hostname`
ssh-agent >$ssh_info_file
chmod 600 $ssh_info_file
source $ssh_info_file
for i in identity id_dsa id_rsa
do
ssh-add ~/.ssh/$i
done
The script creates a file called .ssh-agent-info-`hostname`. Once the agent has been primed you must attach it to the terminal process (so that ssh gets the passphrase from the agent rather than from you) by executing the following:
. ~/.ssh-agent-info-`hostname`
You can now use ssh (or scp) without entering a password - the agent will essentially enter it for you.
Scripts
Since we can now ssh without a password, we can use it in automated scripts.
As an example, the script below uses scp to copy a number of files (file1, file2, file3) as user username from a computer with host name the.server.hostname to the local directory. You will only have to enter the password once, when the ssh agent is primed and from then on it will work without asking you for a password.
It primes the ssh agent using the ssh_prime_agent.sh script, which it expects to be in the current directory. If you've already primed the agent at system startup then remove the line that does this.
#!/bin/bash # Gets files from computer with host name 'the.computer.hostname' as user 'username'. # This will only work if you've generated your public/private keys on your local # machine in the ~/.ssh/ directory and copied the public keys into the # ~./ssh/authorized_keys file on the.computer.hostname. # See http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/ # Prime the SSH agent. ./ssh_prime_agent.sh # Attach the agent to the terminal process (so that ssh gets the passphrase from the agent rather than the user). # Note that this file was created when the agent was primed. . ~/.ssh-agent-info-`hostname` # Copy the files. scp username@the.computer.hostname:file1 . scp username@the.computer.hostname:file2 . scp username@the.computer.hostname:file3 .
