3

I'm trying to add password-less ssh access to my Mac OS X 10.8.3 that acts as a server. I've followed instructions like this:

http://osxdaily.com/2012/05/25/how-to-set-up-a-password-less-ssh-login/

But when I do ssh user@myserver.com I still get prompted the password.

After looking at:

https://superuser.com/questions/419122/how-to-use-ssh-private-key-to-log-in-without-entering-passphrase-every-time-on-m

When I do ssh-add on my client machine I get:

[michael@varga (Sun May 26 09:56:32) ~]% ssh-add
Enter passphrase for /Users/michael/.ssh/id_rsa: 

BUT when I tried using the ssh-add command at the command-lin on the server and it simply does nothing:

[michael@maz (Sun May 26 10:00:25) ~]% ssh-add
[michael@maz (Sun May 26 10:01:03) ~]% ssh-add -K 

I think this may have something to do with the issue I'm having with it still requiring me to give the password.

Any suggestions how to fix ssh-add?

maz
  • 131
  • 1
  • 5

2 Answers2

3

You don't need to run ssh-add or ssh-agent on your server.

You should run ssh-agent on your client (varga). This will create a socket for ssh program to check for an unlocked key. ssh-agent will print you some environment variables you'll have to define—you normally do this with eval $(ssh-agent), which both starts the agent and exports all necessary variables.

As I can see from your question, ssh-add asks for a password and adds the key to the agent, that means that the agent is running and all those variables are exported (at least in the shell you are using to run ssh-add). But now to make ssh see the agent you have to make sure that those variables are also exported in the session in which you run ssh.

The fact that ssh-add is not asking for the password when you run it on the server means that the agent is running on the server (you don't need it) and there are simply no keys to add, so it quits silently.

Why is ssh on the client asking for the password? Probably because you've added a wrong key to the agent. Are you sure that you can log in to the server using the key-file? Are you sure that when you try to login it is asking for the password of the key-file, and not a normal user password? Ensure that pulbic-key authentication is working first.

kirelagin
  • 209
  • 2
  • 7
2

I'm guessing one of two things.

Either you haven't got an ssh-agent running on the server. TO verify that you have an ssh-agent running on the server, see if the SSH_AUTH_SOCK environment variable is set:

echo $SSH_AUTH_SOCK

Another possibility is that you have misunderstood how ssh keypairs are supposed to work. Have you installed your public key on the server? If you have ssh-copy-id available, this is very simple. On the client:

ssh-copy-id user@server

If not, you need to insert the contents of ~/.ssh/id_rsa.pub on the client to ~/.ssh/authorized_keys on the server. E.g. (assuming you have no other keys set on the server):

scp ~/.ssh/id_rsa.pub user@server:.ssh/authorized_keys
ssh user@server chmod 0600 .ssh/authorized_keys

A way to diagnose this is to run ssh with verbose output:

ssh -v user@host

It should show you that keypairs can be used for authentication:

debug1: Authentications that can continue: publickey,password

That it actually tries to authenticate using a key:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/$user/.ssh/id_rsa

And that the public key authentication succeeds:

debug1: Authentication succeeded (publickey).
ptman
  • 27,124
  • 2
  • 26
  • 45
  • This should be a comment, not an answer. – EEAA May 26 '13 at 14:27
  • 1
    True enough. How do you like the improved answer? – ptman May 26 '13 at 14:35
  • Much better! :) – EEAA May 26 '13 at 14:40
  • 1
    There is no reason to run `ssh-agent` on the server. `ssh-agent` should run on the client only. If you want multi-hop capability, configure `ForwardAgent yes`, then the server will have access to the client's SSH agent. – 200_success May 26 '13 at 15:27
  • @200_success I try not to presume what he is trying to do, but yes, usually running ssh-agent on the server is the wrong thing to do. – ptman May 26 '13 at 15:46