Custom Passwordless SSH Access
Author: John on January 06, 2015
When I created my Digital Ocean VPS I setup SSH Keys for both my main laptop and desktop computers. I grabbed the appropriate contents from my .pub file and pasted that information on the web form for 'Add SSH Key' under the SSH Keys menu of my droplet. However, I noticed that each time I would ssh to my server I would be required to input my password.
In this blog posting I will illustrate how I solved this issue and why the word 'custom' appears in the title. There are many websites that cover how to setup passwordless ssh login. For example, Digital Ocean has a nice posting: here.
However, those instructions, and other like it, assume a plain-vanilla setup. Of course, I dare to be different. For example, before I started to solve this puzzle, my ~/.ssh directory had the following:
➜ .ssh ls -la
total 88
drwx------ 11 jfhogarty staff 374 Jan 6 18:36 .
drwxr-xr-x+ 93 jfhogarty staff 3162 Jan 6 20:10 ..
-rw-r--r--@ 1 jfhogarty staff 6148 Mar 9 2013 .DS_Store
-rw------- 1 jfhogarty staff 1766 Mar 2 2013 id_rsa
-rw-r--r-- 1 jfhogarty staff 400 Mar 2 2013 id_rsa.pub
-rw------- 1 jfhogarty staff 668 Apr 20 2014 jh-mbp_id
-rw-r--r-- 1 jfhogarty staff 614 Apr 20 2014 jh-mbp_id.pub
-rw-r--r-- 1 jfhogarty staff 7162 Jan 5 21:17 known_hosts
➜ .ssh
The id_rsa (private file) and the id_rsa.pub (public file,) are your normal files one would find. But I've implemented a 'best-practice' adopted from my day job and I create specific key files for different types of access. For example, following the instructions in the link above, from the Digital Ocean article, I created the following:
-rw------- 1 jfhogarty staff 668 Jan 5 21:11 do_id_dsa
-rw-r--r-- 1 jfhogarty staff 614 Jan 5 21:11 do_id_dsa.pub
If you follow the steps from the link, there is one thing that you may need to do in addition to their steps. Some systems require that you change the file permissions for the authorized_keys file located on your target computer. For example, the following is how I have the permissions set on my VPS:
➜ .ssh ls -la
total 12
drwx------ 2 jfhogarty jfhogarty 4096 Jan 5 21:16 .
drwxr-xr-x 11 jfhogarty jfhogarty 4096 Jan 6 20:14 ..
-rw------- 1 jfhogarty jfhogarty 614 Jan 5 21:14 authorized_keys
➜ .ssh
I adjusted the permissions using the following syntax:
chmod 600 authorized_keys
After creating the new keys on my laptop, and updating the authorized_keys file on the remote server, I thought surely I should now be able to login without using a password. I was wrong! The remote server continued to prompt me for my password. I decided to call it a night as it was getting late.
While working on a VM issue today for my day job, my internal lightbulb went off and I realized what the problem was. Lets take a fresh look at the .ssh directory of my laptop:
sh ls -la
total 88
drwx------ 11 jfhogarty staff 374 Jan 6 18:36 .
drwxr-xr-x+ 93 jfhogarty staff 3162 Jan 6 20:21 ..
-rw-r--r--@ 1 jfhogarty staff 6148 Mar 9 2013 .DS_Store
-rw------- 1 jfhogarty staff 668 Jan 5 21:11 do_id_dsa
-rw-r--r-- 1 jfhogarty staff 614 Jan 5 21:11 do_id_dsa.pub
-rw------- 1 jfhogarty staff 1766 Mar 2 2013 id_rsa
-rw-r--r-- 1 jfhogarty staff 400 Mar 2 2013 id_rsa.pub
-rw------- 1 jfhogarty staff 668 Apr 20 2014 jh-mbp_id
-rw-r--r-- 1 jfhogarty staff 614 Apr 20 2014 jh-mbp_id.pub
-rw-r--r-- 1 jfhogarty staff 7162 Jan 5 21:17 known_hosts
➜ .ssh
The keen eye might notice that I now have three sets of private/public keys. However, when I was typing ssh myhostname.com ssh didn't know which files to use, if any. I was able to prove my theory by trying the following:
ssh -p 9986 -i ~/.ssh/do_id_dsa myhostname.com
And BAM! No password required to login. I was on to a solution. When I had my lightbulb moment, I had remembered that I needed to create a config file in the .ssh directory on my laptop. Lets take a look at it:
➜ .ssh cat config
Host 10.11.12.13
IdentityFile ~/.ssh/do_id_dsa
Protocol 2
Host myhostname.com
IdentityFile ~/.ssh/do_id_dsa
Protocol 2
➜ .ssh
NOTE: To protect the innocent, the IP Address and *.com name above are fake. Please substitute those values for your real IP Address and/or domain name.
And that is how I solved my customized passwordless ssh access to my VPS.
Learn Something New Every Day
Last Edited by: John on November 11, 2015