Where everything is

OpenSSH works fine with PAM (Pluggable Authentication Modules), which is standard these days.

dpkg -L ssh shows a number of binaries you might be using:

• ssh -- the client
• sshd -- the ssh server daemon
• scp
• ssh-add
• ssh-agent
• ssh-keygen -- see instructions below for using this.
• ssh-keyscan
• sftp

Config files:

• /etc/ssh/ssh_config -- see man ssh_config.
• /etc/pam.d/ssh

And, of course, don't forget about your own $HOME/.ssh directory. BTW, your $HOME/.ssh directory should be chmod 700. (And the $HOME/.ssh/authorized_keys file should have permissions 644.)

Avoid typing passwords all the time

Summary:

ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote.machine

or, for dsa

ssh-keygen -t dsa
ssh-copy-id -i ~/.ssh/id_dsa.pub username@remote.machine

(RSA was in SSH1, DSA was introduced in SSH2, then RSA was added back into SSH2.)

You generate your RSA (the default) or DSA (not used much these days) keys using ssh-keygen. If you create RSA keys, they go in $HOME/.ssh/id_rsa and id_rsa.pub. (DSA keys will go in $HOME/.ssh/id_dsa and id_dsa.pub.) You'll get prompted for a pass-phrase, but it's optional -- you can leave it blank if you like; that way, neither you (nor your scripts) will be prompted for it later. A "passphrase-less key" is convenient, but for anything but LAN usage it's considered a security risk.

(Can you have more than one key? Do they all go into the same 2 files? XXX)

(Hmm... I think older versions of ssh use .ssh/identity and identity.pub instead of id_rsa. FreeBSD 4 does anyway.)

To set things up so you don't need to always type your password when ssh'ing from machine_a to machine_b:

• RSA -- append machine_a:$HOME/.ssh/id_rsa.pub to machine_b:$HOME/.ssh/authorized_keys
• DSA -- append machine_a:$HOME/.ssh/id_dsa.pub to machine_b:$HOME/.ssh/authorized_keys2

Use either ssh-copy-id (preferred) or cat >> to append the local (machine_a) public key to the remote (machine_b) machine's list of authorized_keys:

• machine_a$ ssh-copy-id -i ~/.ssh/id_rsa.pub username@machine_b
• machine_a$ cat ~/.ssh/id_rsa.pub | ssh user@machine_b "cat - >> ~/.ssh/authorized_keys"

For ssh'ing from a current GNU/Linux box to an aging FreeBSD box, I've had to ssh-copy-id a dsa key to the BSD machine, and then go to the BSD machine and mv authorized_keys authorized_keys2.

ssh-agent

Instead of using the authorized_keys/authorized_keys2 file, you could fiddle with ssh-agent instead. (?)

ssh-agent requires you to use your passphrase with passphrased keys. Some folks use ssh-agent with the pam_ssh module.

There's a tool (with a same-named debian package) called keychain. It makes use of ssh-agent.

Links

• http://www.debian-administration.org/articles/152 -- probably the most current and useful of these links
• http://wiki.linuxquestions.org/wiki/Using_SSH
• http://fedoranews.org/dowen/sshkeys/
• http://www.linuxquestions.org/questions/answers.php?action=viewarticle&artid=79