Tired of typing your password into SSH all the time? Yes, you can apply common, open-source tools to do this for any application of SSH. Isn't open software cool! Read-on...

General SSH questions, a bit of background on SSH and specifically Public Key Cryptography, and versions of SSH clients can be found in my mini-SSH FAQ.

Creating and Using SSH Identities

The first step in secure, password-free SSH is to create an SSH identity. An SSH identity is a private/public key pair, which are similar in functionality to to PGP keys, or SSL keys and SSL certificates. The public key of the identity pair will be placed on the remote servers to which you wish to connect and the private key will remain on the client or local machine. When you connect from your client, the ssh program will offer to use identity-based authentication for each key it has available. If the server sees a corresponding public key on its end, it tells the client to prove that it has the private key, which is does by a mathematically rigourous means that we can ignore at this time.

We can do this with either OpenSSH or with PuTTY.

Configuring OpenSSH to use Identities

Installing OpenSSH

If you are running on a UNIX box without SSH (many do by default), have your system administrator build and install OpenSSH. A version of this is installed by default on most Linux platforms, but you or your system admistrator should update it as there are often security-related patches made available on the OpenSSH web site.

If you are running on a Windows platform and use CYGWIN, you should already have SSH installed. Again, make sure you keep up with new releases of the SSH package (via the CYGWIN installer) for security.

Configuring OpenSSH

  1. Create the identiy-key pair:
    cd ~/.ssh
    ssh-keygen

    This creates your private/public key pair: (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). The program will ask you for a passphrase to encode your private key; be sure to use a good passphrase of more than 10 or so characters. If you choose not to use a passphrase, you will not have to implement the ssh-agent or putty-agent steps below, however I do not recommend this; Without a passphrase, your private key can be easily read by anyone and may be used to impersonate you on any server where you place your public key.

    Instead of RSA, you may use DSA (-t dsa) either is fine, though I would not recommend using RSA1 for security reasons.

  2. Copy the public key to the remote server:
    scp ~/.ssh/id_rsa.pub user@remote.host:pubkey.txt
    ssh user@remote.host
    mkdir ~/.ssh
    chmod 700 .ssh
    cat pubkey.txt >> ~/.ssh/authorized_keys
    rm ~/pubkey.txt
    chmod 600 ~/.ssh/*
    exit

    Be sure to replace user@remote.host with the appropriate username and host. This copies your public key to the remote server machine. Public keys are those with the .pub extension. You need to do this for each server into which you wish to login via SSH without a password. Alternatively, you could now copy the ~/.ssh/authorized_keys file to other systems to allow access from the local system. Also, if you have multiple keys, you can add the public key of each pair to the authorized_keys file, either by appending to the file or using a text editor. If you use cut and paste to copy the key, make sure each key entry is a single line in the file. Remember, the keys to add are always the public keys (from files with the .pub extension).

  3. Test the remote public key:
    ssh user@remote.host
    <enter-private-key-passphrase-at-prompt>
    exit 

    This is a test -- This time, instead of your password on the remote host, SSH should prompt you for the passphrase for your private key.

  4. Start the ssh-agent:

    Now we get to the meat of this document and figure out how to avoid typing either a password or a passphrase every time...

    eval `ssh-agent`

    This starts the ssh-agent, which is a process which runs in the background and listens for "requests" from ssh clients needing your private key. The output of ssh-agent is a set of environment variables which need to be eval-ed in order for future ssh clients to know that there is a server out there. Do not start more than one instance of ssh-agent.

  5. Add your private key to the agent's cache:
    ssh-add
    <enter-private-key-passphrase-at-prompt>

    This adds your private key(s) to the list of keys held by ssh-agent. ssh-add will ask you for the passphrase of each key it is adding to the agent's pool. Note that this need only be done once after you start the ssh-agent daemon.

  6. Test the connection again:
    ssh user@remote.host
    exit

    This is a test -- This time you should not have to type any passwords or passphrases as ssh should get your private key from the agent daemon.

That's all there is to setting up ssh and ssh-agent to use public-key encryption and avoid entering your password multiple times a day. Any application that uses SSH should no longer require passwords. All that remains is to configure CVS to use SSH.

You should know that ssh-agent stores your private key(s) in memory in the clear (read: unencrypted) to give to ssh clients that request it. Note that the mechanisms by which ssh-agent talks to ssh are based upon UNIX sockets and UNIX system permissions protect those against unauthorized access, so you need not worry about this. There is some question about the security of this mechanism under CYGWIN on Win32 platforms, but I feel the risks are not greater than the benefits, especially if you are the only person with access to your Windows box. Just lock your screen when you are not present - common sence.

One other tweak one can make: Realize that by using this "manual" approach of starting the agent and evaluating the results in your shell, only sub-shells of the current shell will know about the running ssh-agent. An alternative approach that I use is to run a short script that starts the agent daemon if it is not already running and sets the appropriate environment variables.

  1. Setup an automated start-agent script:

    First, click here for my sssha script. It is a BASH shell script, so if you use a different login shell, you will have to modify it. Once you download it, place it in your ~/.ssh/ directory and add this to your ~/.bashrc configuration script, presumably at or near the end:

    # setup ssh-agent, if appropriate
    if [ -f "$HOME/.ssh/sssha" ]; then
       source $HOME/.ssh/sssha
    fi 

Finally, if you are truly paranoid, make sure to kill your ssh-agent when you are done using any machine on which you have started one. This can be accomplished most simply with ssh-agent -k.

Configuring PuTTY to use Identities

Installing PuTTY (Windows only)

First, you need to fetch PuTTY which is available from here: http://www.chiark.greenend.org.uk/~sgtatham/putty/ or a Google search on PuTTY should find it too. The installer is a fairly typical windows installer, so just go ahead and run it. The defaults are perfectly acceptable.

Configuring PuTTY

PuTTY Configuration
Figure 1: PuTTY Configuration
Once you have PuTTY installed, run PuTTY and you will be presented with a PuTTY Configuration window that looks something like that in Figure 1. Adjust each Category of settings as follows:

  1. Session
    • Check: SSH
  2. Connection
    • Auto-login username: username
      with your username
  3. Connection » SSH
    • Preferred SSH protocol version: 2
  4. Connection » SSH » Auth
    • Check: allow agent forwarding
    • [ you will come back here later to specify your Private key file for authentication ]

Go back to the Session category, click on the Saved Session named Default Settings and click Save. These are now your default PuTTY options.

Test the settings by typing the name of a remote host into the Host Name box and clicking Open. You should be prompted for your remote password and eventually get a shell window.

Go ahead and close that shell by typing exit.

Generating your Public/Private Keys

PuTTY Key-Generator
Figure 2: Generating your key
With PuTTY configured, you can now generate your public/private key. On the Windows START menu, where PuTTY shortcuts were installed, should be a shortcut for PuTTYgen. You should see a window like that in Figure 2.

  1. Check: SSH2 RSA (or SSH2 DSA, but NOT SSH1 RSA)
  2. Click: Generate
    While PuTTYgen is generating your key, create some "entropy" by moving the mouse around in the empty area of the window.
  3. Enter a Key Passphrase
    Make sure it is a good passphrase of more than 10 or so characters. If you choose not to use a passphrase, you will not have to use the PuTTY-Agent (below), however I do not recommend this; Without a passphrase, your private key can be easily read by anyone and may be used to impersonate you on any server where you place your public key.
  4. Click: Save Private Key
    Select a place to put your keys such as your home directory; name it something like PuTTY-Private.ppk
  5. Click: Save Public Key
    Save it to the same directory as the private key, presumably; name it something like PuTTY-Public.pub
  6. Create your authorized_keys file by coping the text from the Public Key for pasting into authorized_keys text-box into a file, again presumably to the same directory, named something like openssh-key.pub

Configure the Server's ~/.ssh/authorized_keys file

You now need to copy your public key to the remote SSH server and update one setting in your PuTTY configuration:

  1. Store your openssh-key.pub on the remote server in your remote ~/.ssh/authorized_keys file:

    1. Open Command/Shell Prompt by typing cmd in the Windows Run dialog or by starting a CYGWIN shell.
    2. Copy Public Key to Server: at the command prompt, enter:
      [ CMD: ]
      pscp c:\path\to\openssh-key.pub username@cvs.server.com:openssh-key.pub
      or
      [ CYGWIN: ]
      scp /cygdrive/c/path/to/openssh-key.pub username@cvs.server.com:openssh-key.pub

      ...where c:\path\to\openssh-key.pub specifies the location of the key file created in step two, and username@cvs.server specifies your user name on the CVS server and the hostname of the CVS server. You may be prompted to confirm the legitimacy of the host, and you will be prompted to enter your password for the CVS server.

    3. Connect using PuTTY: if necessary, run the putty program, entering the name of the remote cvs server.

    4. Configure the Key on the CVS Server: after logging into the CVS server, enter the following commands to place your public key into the remote ~/.ssh/authorized_keys file:

      mkdir ~/.ssh
      chmod 700 .ssh
      cat ~/openssh-key.pub >> ~/.ssh/authorized_keys
      rm ~/openssh-key.pub
      chmod 600 ~/.ssh/*
      exit 

      You can also copy/paste, ftp, email or transmit your public key to the remote server by any means you find convenient. Just put the contents in the ~/.ssh/authorized_keys file, ensuring that what you paste is only one (long) line.

  2. Configure PuTTY to use the Private Key: Open PuTTY again; when the configuration window opens:

    • Open the Connection » SSH » Auth configuration category
    • Set the location of your PuTTY-Private.ppk file in the Private Key File for Authentication box
    • Return to the Session configuration category
    • Select and save your settings into the Default Settings

Test the settings by typing the name of the remote host into the Host Name box and clicking Open. You should be prompted the passphrase of your private key rather than for your remote password; close the resulting shell window by typing exit.

Starting the PuTTY-Agent (Pageant)

Run the pageant program from the START menu. This will load the PuTTY Authentication Agent into the Windows System Tray; it appears as a little computer with a "secret agent hat". PuTTY-Agent is a process which runs in the background and listens for "requests" from PuTTY clients needing your private key.

When PuTTY-Agent starts, it doesn't know about your private keys by default. Right-click the Pageant icon in the Windows System Tray. Select Add Key. Navigate to the directory where you saved the public and private keys in the previous step, and select the file PuTTY-Private.ppk. Pageant will prompt you for the passphrase of the key.

Now you are basically done. Restart PuTTY again to test the settings one last time; enter the name of the remote host into the Host Name box and clicking Open. You should NOT be prompted the passphrase of your private key nor your remote password; close the resulting shell window by typing exit.

Auto-Start PuTTY-Agent Upon Login

Pageant can automatically load one or more private keys when it starts up, if you provide them on the Pageant command line (i.e. in a shortcut). If you copy the standard Pageant shortcut, append the location of your key(s) to the Target: line. It might look something like this:

C:\PuTTY\pageant.exe d:\main.key d:\secondary.key

If the keys are stored encrypted, Pageant will request the passphrases on startup.

If you place that new shortcut in your Startup folder, it should be loaded automatically when you login to Windows.

Using PuTTY Keys for OpenSSH and vice-versa

If you already have keys used for OpenSSH or for PuTTY, you may use those keys in the other application, but you need to go through an import or export step using PuTTYgen.

  1. First, open PuTTYGen again...

To import a OpenSSH key into PuTTY:

  1. In PuTTYgen, select: Conversions » Import Key
  2. Browse to your private OpenSSH key and select Open.
    You should be required to enter your private key passphrase.
  3. Click: Save Private Key
    Select a place to put your keys such as your home directory; name it something like PuTTY-Private.ppk
  4. Click: Save Public Key
    Save it to the same directory as the private key, presumably; name it something like PuTTY-Public.pub

Everything else should proceed as before, including using PuTTY-Agent (Pageant), but be sure to tell PuTTY about your new Private Key as above.

To export a PuTTY key for OpenSSH:

  1. In PuTTYgen, select: Conversions » Load Private Key
  2. Browse to your private PuTTY key and select Open.
    You should be required to enter your private key passphrase.
  3. Select: Conversions » Export OpenSSH Key
    Select a place to put your keys such as your home directory; name it something like openssh-key.
  4. To save the public key, follow the same instructions for creating the openssh-key.pub file as above.

Everything else should proceed as before, including using PuTTY-Agent (Pageant), but be sure to copy your openSSH key to the server, as above.