User login

Passwordless SSH (using Public Keys and Agent Forwarding)

Part I: Private and Public Keys

SSH public key authentication requires the user to create a public/private key pair on her machine. It's easy:


A key pair will be generated (it is ok to hit enter every time you are prompted by the key generator) and stored in ~/.ssh. The default names are id_rsa/ and id_dsa/ depending on the encryption algorithm. For each device used to connect to remote machines via ssh this must be repeated. It's not a good idea to spread the private key.

To make use of the key pair, i.e. passwordless login, the public key must be added to the account on the remote machine. Let's demonstrate it with an example. Jean is a developer and uses jean as username on her laptop. She needs to push her code to where she owns the account jean_r. To free herself from entering the password again and again she uses the following command (issued in /home/jean on the laptop and the private key's name being .ssh/id_rsa).

cat .ssh/ | ssh tee -a .ssh/authorized_keys

If she were using a Debian system on her laptop she could instead run

ssh-copy-id [-i .ssh/id_rsa]

In any case one last time she will be prompted to enter her password to authenticate as jean_r on

Part II: Agent Forwarding

That was easy. But there's a particular issue with public key authentication. Say Jean needs to sync files from via scp to like this for instance:

scp* files/

on (Quietly assuming she has permissions to store the files, e.g. files being a subdirectory of her home folder.)
To successfully perform a public key authentication ssh needs access to the private key which in Jean's case is on her laptop but not on Of course she could create another key pair on foo and copy the public key. This can become quite tedious and there is a way to get around it: ssh agent forwarding.

SSH agent
ssh-agent is a process which can hold and manage private keys on your workstations, and respond to requests from remote systems to verify your keys.
Agent Forwarding
Agent forwarding allows a chain of ssh connections to forward key challenges back to the original agent.

In case ssh-agent isn't running it can be started with exec ssh-agent bash. Identities (i.e. private keys) are added with ssh-add filename. Add all files with:

ssh-add -K

Now Jean happens to have her ssh agent up and running with her id_rsa added to it. She creates a file called config in her .ssh directory on her laptop (vi ~/.ssh/config in her local environment) containing:

ForwardAgent yes

After logging in as jean_r on foo she checks if her agent is properly forwarded by issuing ssh-add -l. If the identity she has on her laptop is listed she can login to bar or copy files:

scp* files/

Want to learn more?

Searched words: