Security and convenience. It enable fast, secure login to remote hosts without a password, rlogin, telnet, and .rhosts.
Assume, for this example, that you want to be able to log in a user "foo" on host "there.com" from host "here.com", and have a password based account on "there.com". In the real thing you would substitute your login id and the correct hostnames.
Log in to "here.com" via ssh.
Go to the .ssh directory:
~$ cd .ssh
Run ssh-keygen
.ssh$ ssh-keygen
Note: If both "here" and "there" are using OpenSSH, or other version 1.5/2.0 software, (runningssh -V on both machines will tell you,) you will need to specify the type of key, like this:
.ssh$ ssh-keygen -t rsaIf only "here" is running a protocol 1.5/2.0 mix, you will need to specify the type as rsa1 (because "there" would be running only protocol 1) like so:.ssh$ ssh-keygen -t rsa1**Caution: RSA 1 is very deprecated, and insecure.
Whether or not you use a passphrase or not depends on your system standards, and your paranoia level. If you use a passphrase, be sure to make a note of it someplace safe. If you do not use a passphrase, just hit enter when it asks for one.
The ssh-keygen utility will generate two files: "id_rsa" and "id_rsa.pub" (or identity and identity.pub). You may wish to copy "id_rsa.pub" (or identity.pub) to "here.pub"
Now scp (secure copy) the id_rsa.pub (or identity.pub) file to "there.com" as "here.pub".
.ssh$ scp id_rsa.pub foo@there.com:~foo/.ssh/here.pub
It will ask you to enter your password for foo at there.com. After you enter your password, it should copy the file, and then idicate that it is done.
Now ssh to "there.com", log in, and change to your .ssh directory.
.ssh$ ssh there.com ... ~% cd .ssh
Your "here.pub" file should be there. If it is, append it to the "authorized_keys" file.
.ssh% cat here.pub >> authorized_keys
Be sure to use ">>" (two greater-than signs) in order to append it to an existing file. If there is no "authorized_keys" file, create it by:
.ssh% touch authorized_keys
and then append your "here.pub" file to it.
Make sure that the files in .ssh are writable only by you, on both machines, and non-executable by anyone.
.ssh% chmod 600 * or .ssh% chmod go-rwx *
Your .ssh directory should also be 700
chmod go-rwx ~/.ssh
You public key (*.pub) can be 644, if the system has a problem with it at the tighter setting.
Now exit from "there.com", and test whether you can ssh in to it without a password.
It is a point to remember: passphraseless login is convenient, but if you don't need it, it can be a security risk.
If you need a passwordless login to run certain commands on a remote system, you might also want to take a look at using a ssh agent and agent forwarding. Then you only need to run the agent, and enter your passphrase once per session, do your business, and quit.
Be sure to email me at lj @ laubenheimer.net if you have questions (remember to de-mung).