Recipe 6.9 Authenticating Without a Password (Interactively)

6.9.1 Problem

You want to authenticate without typing a password or passphrase.

6.9.2 Solution

Use ssh-agent, invoking it within backticks as shown:

$ eval `ssh-agent`

Add your keys to the agent using ssh-add:

$ ssh-add
Enter passphrase for /home/smith/.ssh/id_dsa: ********

Then log in using public-key authentication and you won't be prompted for a passphrase: [Recipe 6.4]

$ ssh -l remoteuser remotehost

Some Linux distributions automatically run ssh-agent when you log in under an X session manager. In this case just skip the ssh-agent invocation.

6.9.3 Discussion

The SSH agent, controlled by the programs ssh-agent and ssh-add, maintains a cache of private keys on your local (client) machine. You load keys into the agent, typing their passphrases to decrypt them. SSH clients (ssh, scp, sftp) then query the agent transparently about keys, rather than prompting you for a passphrase.

The invocation of ssh-agent might look a little odd with the eval and backticks:

$ eval `ssh-agent`

but it is necessary because ssh-agent prints several commands on the standard output that set environment variables when run. To view these commands for testing, run ssh-agent alone:

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XXNe6NhE/agent.13583; export SSH_AUTH_SOCK;
echo Agent pid 13584;

and then kill it manually (kill 13584).[2]

[2] In this case, you cannot kill the agent with ssh-agent -k because the environment variables aren't set.

ssh-add, invoked with no command-line arguments, adds your default keys to the cache. To add a selected key, simply list it:

$ ssh-add ~/.ssh/other_key

Removing keys is done like this:

Remove one key:
$ ssh-add -d ~/.ssh/other_key

Remove all keys:
$ ssh-add -D

A tempting but naive alternative to ssh-agent is a key with an empty passphrase, called a plaintext key. If you authenticate with this key, indeed, no passphrase is needed . . . but this is risky! If a cracker steals your plaintext key, he can immediately impersonate you on every machine that contains the corresponding public key.

For interactive use, there is no reason to use a plaintext key. It's like putting your login password into a file named Don't do it. Use ssh-agent instead.

Another way to avoid passphrases is to use hostbased (trusted host) authentication [Recipe 6.8], but for interactive use we recommend public-key authentication with ssh-agent as inherently more secure.

6.9.4 See Also

ssh-agent(1), ssh-add(1).

    Chapter 9. Testing and Monitoring