How to easily set up key-based SSH authentication

published on February 15, 2012

You want to set up key-based authentication so you can ssh into a server without entering that pesky password over and over again?

If you have to do this often, then use this wonderful one-liner to install the public key of your system on a remote server1:

cat ~/.ssh/id_?sa.pub | ssh <host> 'mkdir -p .ssh; cat >> ~/.ssh/authorized_keys'

Easy, right2? Replace <host> with your host, or possibly even user@host. To be able to use just <host>, you’ll want to configure SSH host aliases, e.g.:

Host seedbox2
    HostName norris.com
    User chuck
    Port 55555

  1. I use this to add seedboxes to driverpacks.net’s hosting infrastructure — the Seedbox hosting companies switch machines quite frequently, which means I have to change the rsync scripts to point to the new hosts. ↩︎

  2. Notice the question mark in id_?sa.pub? That way, it’ll pick up your public key for sure, no matter if it’s id_rsa.pub or id_dsa.pub↩︎

Comments

Philip's picture

I prefer to use Kerberos…

If you’re going to use keys, take a look at Debian’s ssh-copy-id script. It’s a neat little wrapper around what you’re doing manually.

Wim Leers's picture
Wim Leers

Kerberos has a SPOF1 and it’s more stuff to manage.

The line above works everywhere, ssh-copy-id is e.g. not present on OS X.

Good remarks, but I still prefer this way :)

  1. Single Point Of Failure. ↩︎

Philip Paeps's picture

You can run slave KDCs…

And:

[1543] (philip@luggage)~% uname -a Darwin luggage.paeps.cx 11.3.0 Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64 x86_64 [1544] (philip@luggage)~% which ssh-copy-id /Users/philip/bin/ssh-copy-id

I’ve had Debian’s script in my $HOME/bin (which I use on many different Unixes) for ages. Works quite well!

wouter verhelst's picture
wouter verhelst

You miss id_ecdsa (and yes, that exists, though you need a fairly recent SSH to get it)

Dieter_be's picture

Hi, you’re making some assumptions which may not hold true and can cause breakage:

  • ~/.ssh/id_?sa.pub might not match the desired pubkey (mine won’t match)
  • StrictModes can be enabled (will complain over directory permissions), in fact my manpage says this is default.
  • authorized key file might not be ~/.ssh/authorized_keys (rarely, though)

The ssh-copy-id Philip mentioned comes with the upstream openssh releases and should be available in sane distribution packages (it’s also on Arch FWIW), if it’s not on OSX, then blame/fix the OSX package/release you’re using :) instead of having your peers maintaining their own alias/script to do this task IMHO

Wim Leers's picture
Wim Leers

Well…

  • I’ve never seen it somewhere else than ~/.ssh/id?sa.pub
  • I have no idea about your second point.
  • I’ve never seen that either.

I don’t force anybody to maintain a script. I provide this handy one-liner that has saved me quite a bit of frustration already so far. Plus, you’d force me to maintain an OS X fork of ssh-copy-id. That’s hardly better.

I just figured I’d share this handy one-liner with the world, but I guess that was a mistake… ;(

Jeffrey's picture
Jeffrey

Don’t let these comments discourage you. It’s hard for *nix people to understand what it’s like to use OSX and *nix simultaneously. If you try to keep your environments exactly the same you’d go mad.

Maitreya's picture
Maitreya

Nice shortcut. Thank you! And those wanting it do extra’s; you are free to add to this oneliner…