SSH without a password: using public keys

If you’re often logging remotely into UNIX-like machines using SSH, you may grow tired of having to type and retype your password each and every time. And even more so if you’re running rsync, or any other service, over SSH.

To make our life easier, we can establish a secured SSH connection between computers using public/private keys generated with OpenSSH.

In this example, I’ll say I want to connect to my server from my laptop.

In a tiny tiny nutshell

We’re going to create a set of public/private keys on our laptop, copy the public key on the server and add it to the authorized_keys.

With some commands and explanations

First of all, we’ll generate a RSA private/public key pair using OpenSSL:

laptop:~$ ssh-keygen -t rsa -b 2048

ssh-keygen will then ask for a place to save the keys (the default ~/.ssh/id_rsa is good) and a passphrase. You may enter a blank passphrase.

So what are these arguments exactly? -t specifies the algorithm to use, and -b is the key length in bits.

To quote the man page:

-b bits

Specifies the number of bits in the key to create.  For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient.  DSA keys must be exactly 1024 bits as specified by FIPS 186-2.

For information, on my machine, generating a 1024 bits key is instantaneous, a 2048 bits key takes a second or two, a 4096 bits key is around 10 seconds, and a 8192 bits key took nearly 8mn.

Okay, so now we have two keys sitting in our ~/.ssh folder:

- id_rsa – our private key. – you guessed it from the extension: our public key.

Second step is to transmit our public key to the server, for example using a USB key, or scp:

laptop:~$ scp ~/.ssh/ mylogin@server:./

Finally, we add this public key to the list of keys the server is going to trust:

server:~$ cat >> .ssh/authorized_keys

Voilà! You can now log into your server with a simple `ssh server` without being asked for a password – only the passphrase if you entered one. And on OS X at least, you can set Keychain Access to remember the passphrase.

You may want to delete the from your home folder on the server afterwards.

A word of advice if you entered a blank passphrase: if someone gets control of your laptop, that person now gets control of your account on the server too. Keep that in mind: public-key authentication is a good thing, but can also be a security hazard if badly used.

At least once you know that a key have been compromised, you can delete it from the authorized_keys file on the server.

Screenshots and OS X: capturing a single window

One pretty awesomely simple thing under Mac OS is making great screenshots.

You might already be familiar with Mac OS X’s classical shortcuts for screenshots, Shift+Cmd+3 (full screen) and Shift+Cmd+4 (selection). But did you know you can shoot a single window without the hassle of selecting it from edge to edge, or worse, cropping from a full screenshot?

Press Shift+Cmd+4, then press the space bar.

A little camera appears, and allows you to capture the highlighted window of your choice.

The resulting image can be found at the same place as usual screenshots – by default, on the desktop, as a PNG file. With transparency and drop shadows, nothing less!

NB: apart from “real windows”, this camera can also capture the Dock, the menu bar, the desktop wallpaper, and even widgets.

A Keynote update is available. Would you like to open Software Update?

This nice explicative window popped up last time I opened Keynote (iWork ’09) :

A Keynote update is available. Would you like to open Software Update ?

Why yes, I would love to, but when I open Software Update…

Your software is up to date.

No updates are available.

What’s happening there ? Well, it seems that OS X’s Software Update only checks for /Applications/ to see if Apple applications (e.g. iWork, Aperture) are present on the system, and need upgrading. Which means that if you have some of these Apple applications located at any other place on your hard drive -in my case, being a subfolder-creating control freak, /Applications/Work/iWork ’09/ -, they won’t update properly.

Easy fix? Put the iWork ’09 directory back into /Applications/, let Software Update do its job, and then reorganize your directories as you like. You will have to do it for each new update though.