SSH no Password

If you want to automate copying files from one computer to the other via SSH, you must write the password into the script. In order to avoid that, key-files come into use. Here I want to describe RSA Type 2, 2048 bit length key-files only.

In case you need access to the /home/user/ folder from a web server with user www-data you need group write access. This will conflict with the SSH config option "StrictModes yes". There is a way to avoid that.

The actual computer is the client, the remote computer is the server.

Following I will describe the use of key-files including debugging.

Generate key-files

To keep it easy in handling, do not use a passphrase.

# replace <user> with your user name.

# change directory
$ cd /home/<user>/.ssh

# generate key files
$ ssh-keygen -t rsa -f id_rsa
passphrase?  ENTER

# there are now 2 files: id_rsa and id_rsa.pub

Copy key-file to server

In order to have a trusted relationship to the server, he must have your key in file authorized_keys on the server.

# change directory
$ cd /home/<user>/.ssh

# copy local key-file to server .ssh/authorized_keys
$ ssh-copy-id -i id_rsa rudi@192.168.17.90

sshd_config StrictModes yes

Usually you have in file /etc/ssh/sshd_config the parameter StrictModes yes. That checks the permissions on important files and folders.

The file .ssh/authorized_keys is allowed to have user read+write only.

The folders .ssh/ and /home<user>/ must not have the group write permission.

You can do that with:

$ chmod 600 /home/<user>/.ssh/authorized_keys
# check permissions:
$ ls -ls .ssh/authorized_keys
4 -rw------- 1 rudi users 3151 Mär 14 18:25 authorized_keys

$ chmod g-w /home/<user>
# check permissions:
$ ls -ls ..
4 drwxr-x--- 9 rudi  www-data 4096 Jul 16  2014 rudi

$ chmod 700 /home/<user>/.ssh
# check permissions:
$ ls -als /home/<user>
 4 drwx------ 2 rudi     users     4096 Mär 15 06:02 .ssh

Debug SSH connection

If a SSH connection fails, or needs a password, it is difficult to debug. The option -v is not very helpful, because it tells only that something if not working, but not why.

I have searched very long for a debug method. In principle it is very simple, with 2 terminal windows:

# Start a SSH server daemon on the server in terminal 1
$ sudo /usr/sbin/sshd -d -p 2222


# Start a SSH connection on the client in terminal 2
$ ssh -p 2222 rudi@192.168.17.90

# Finish the connection with CTRL D (STRG D)

If there is any error, it will be shown in terminal 1.

# Error, for example:
Authentication refused: bad ownership or modes for directory /home/rudi: just 0700

Move file authorized_keys

If your web server with user www-data needs group write access in your home folder, the only chance to keep the parameter StrictModes yes, is to move the file .ssh/authorized_keys to another place, and tell /etc/ssh/sshd_config about it.

# Create a new folder, for example:
$ sudo mkdir /usr/share/sshkeys

# Change owner and permission
$ sudo chown <user>:<user> /usr/share/sshkeys
$ chmod 700 /usr/share/sshkeys
# Copy file
$ cp /home/<user>/.ssh/authorized_keys /usr/share/sshkeys/

# edit file /etc/ssh/sshd_config
# Because of Apache2 access
AuthorizedKeysFile /usr/share/sshkeys/authorized_keys

$ sudo service ssh restart

# Now it should work.

Note: The command ssh-copy-id copies per default always to /home/<user>/.ssh/authorized_keys. After such an action you need to copy again file authorized_keys to the new place.

Host Verification

If the IP-number of a SSH host computer has changed, you will get an error if you try to connect:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

The problem solution is to remove the old identification, and connect again:

# Example for removing old key
$ ssh-keygen -R 192.168.17.170
# Host 192.168.17.170 found: line 19
/Volumes/DAT/Users/rudi/.ssh/known_hosts updated.
Original contents retained as /Volumes/DAT/Users/rudi/.ssh/known_hosts.old

# connect again with user "pi"
ssh pi@192.168.17.170

List of pages in this category:

-- RudolfReuter 2015-03-15 10:55:27


Go back to CategoryServer or FrontPage ; KontaktEmail (ContactEmail)

SSHnoPassword (last edited 2019-04-18 20:27:12 by RudolfReuter)