1. BenJam
    Posted February 4, 2009 at 9:17 pm | Permalink

    JayFresh, braying in the face of the ‘something you have and something you know’ mantra of two factor authentication… huzzah!

  2. Posted February 5, 2009 at 5:21 am | Permalink

    You probably got few results as people don’t usually call them certificates in this context – they call them keys (hence ssh-keygen)

    Ideally you should also give your keys strong passwords, as otherwise if someone else obtained them *bam* they have access as you. If you use a password them you can use a key agent so you don’t have to enter the key password every time. (Leopard even has an ssh-keyagent running for you, you just ssh -i {keyname} once and it’ll prompt for the password and then store it in your keychain.)

  3. Posted February 5, 2009 at 9:34 am | Permalink

    Patrick is right – you should search for the term “(public/private) key” instead of “certificate”.
    Also, I believe DSA is the preferred type these days.

  4. Posted February 5, 2009 at 11:54 am | Permalink

    Yeah, certificates are as used with SSL/TLS and S/MIME etc, and IIRC the product of a trusted 3rd party ‘signing’ (with their private key) the requesters relevant info (server name or E-mail address etc) along with their public key. Think there is a bit more to it, but you get the idea… With SSH it’s just key-pairs, without any signing going on.

    Wouldn’t worry about passphrases if you have an encrypted homedir (IIRC FileVault in Macspeak), which of course everyone should have.

    ssh-agent is ace, and with agent forwarding it gets even better, as you can login to a remote machine, and then from that to another, and to another if you like, all without entering passwords.


  5. Denada
    Posted February 5, 2009 at 2:09 pm | Permalink

    Re: agent forwarding

    What happens if you eventually log back in to the machine you started from? Do you get a virtual Duckling loop? Or recreate that scene in “Being John Malkovitch” where goes through the portal into his own head? We could call it “Being Jon Lister”.

  6. Posted February 5, 2009 at 2:13 pm | Permalink

    That should work fine, Denada – in contrast to VNC

  7. Posted February 6, 2009 at 9:12 am | Permalink

    Andrew: I guess I’m just the paranoid type – although if I were truly paranoid I wouldn’t store the password in the keychain. At the very least it’s a lot harder for someone sitting at my computer to get the password from the keychain than it is to cp ~/.ssh/* /Volumes/EvilRemoteVolume/

    One thing I do like is that it’s not terribly hard to revoke a key (just remove it from authorized_keys file), although it doesn’t scale well when you have a lot of servers. You can also lock keys to only certain IP addresses and other such fun.

  8. Posted February 6, 2009 at 11:55 am | Permalink

    Thanks everyone for the comments, they’ve made the post much more useful!

    “keys”… yes, that would be the right term now, wouldn’t it… I’ll leave searching for certificates until I want a 2nd-hand PhD or something.

  9. Mojo
    Posted May 17, 2009 at 11:38 pm | Permalink

    I have also ended up here after searching for ‘ssh+certificate’, so you are probably far from the only one making this mistake.

    I have now read the above with interest, and am now off to search for ‘ssh+keys’.

    In any case, this post is definitely useful. Leave it here!

    Thanks. :)

    • Posted December 23, 2009 at 12:52 pm | Permalink

      I ended up here searching for ssh+certificate as well.

      I needed two perform automated transfer between two linux boxes in a script. A quick and dirty script or I would have set up an rsync server on one of the boxes.

      So I needed PASSWORD-LESS communication to be scripted. Since IMHO that is the entire purpose of certificate based ssh authentication, the strong password recommendation above is kind of silly.

      Computers are also very secure if you turn them off and don’t use them. They might even pass a PCI audit…

  10. Stu Roberston
    Posted February 5, 2010 at 3:18 am | Permalink

    Along with the other comments, DSA, etc, don’t forget permissions or the /var/log/secure log file.

    your ~/.ssh dir must be 700
    your private key file must be 600
    your public key file must be 644
    your auth file (on the remote) must be 644

    But the log file will tell your this (basically).

    Leave the link here – handy….

  11. robert
    Posted February 23, 2010 at 8:15 pm | Permalink

    On Ubuntu: open Applications | Passwords and Encrypted Keys, right-click your key under “My Personal Keys”, select “Configure Key for Secure Shell”, fill out dialog (remote computer name, user account), hit OK.

  12. ed
    Posted October 12, 2010 at 7:49 am | Permalink

    Excellent article!
    By far the EASIEST way to do ssh I have found on the web!

  13. jacob
    Posted October 13, 2010 at 1:25 am | Permalink

    Yes, by far the easiest method to set up ssh keys I have found.



  14. Posted July 29, 2011 at 2:59 pm | Permalink

    Great post. I was trying to set up a rsync to let Eclipse automatically sync with a remote server. This explanation stopped me having to type my password every time I saved a file. Nice one!

  15. adamamyl
    Posted August 22, 2012 at 12:52 pm | Permalink

    Instead of

    scp id_rsa.pub @:.ssh/authorized_keys

    you could use (`brew install ssh-copy-id` &&) ssh-copy-id foo@destination.example.org

3 Trackbacks/Pingbacks

  1. [...] dieses auf den Server kopieren und kann sich nun passwortfrei anmelden. Wie dies funktioniert ist hier [...]

  2. [...] and therefore, print. To keep them from logging into the machine through SSH, I set SSH to use certificates instead of passwords. This also allows me to securely access it without having to type in a [...]

  3. [...] http://jaybyjayfresh.com/2009/02/04/logging-in-without-a-password-certificates-ssh/ [...]


Get every new post delivered to your Inbox.