So one day, My superior gave me a task to create a process that transport data (in text file) from one nix box to another nix box. Since the target box has internet facing interface, public IP, and doesn’t have any firewall installed in any form whatsoever, it has to be over SSL. So it’s either sftp or scp. The file transport will be part of a batch process. So I choose SCP over SFTP, since it only require one line of command instead of a scripted process.

Since the process will be an unattended one, manually typing password is out of question, so I turned to public key authentication. Here are the steps:

1. Make sure the target SSH server accept public key authentication
As root, open sshd_config on the target server, usually located in /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Make sure these lines are available and not commented

PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

2. Make sure the ssh client know where the private key is located
As root, open ssh_config on the client machine, usually located on /etc/ssh/ssh_config

sudo nano /etc/ssh/ssh_config

Make sure this line is available and not commented

IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa

3. Create a pair of private and public keys
To do public key authentication, you need to have a pair of keys. Private key is stored on ssh client machine as your identification, and public key is stored on the target ssh server, used by sshd to authenticate you on ssh server.

Log into the ssh client machine with the account that you’ll be using to connect to target server, and issue this command:

ssh-keygen -t dsa

The output should be similiar to this

ikhsan@M5mobile:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/ikhsan/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ikhsan/.ssh/id_dsa.
Your public key has been saved in /home/ikhsan/.ssh/id_dsa.pub.
The key fingerprint is:
be:4d:36:7c:29:a9:e0:8a:c0:c5:d5:65:40:fe:97:4b ikhsan@M5mobile

Since my requirement was passwordless authentication, I didn’t enter any passphrase. Note that the private (id_dsa) and public (id_dsa.pub) keys have been generated, and stored .ssh directory

ikhsan@M5mobile:~$ cd .ssh
ikhsan@M5mobile:~/.ssh$ ls
authorized_keys  id_dsa  id_dsa.pub  id_rsa  id_rsa.pub

4. Install the public key into the target ssh server
Copy the public key into target ssh server

ikhsan@M5mobile:~$ cd .ssh
ikhsan@M5mobile:~/.ssh$ scp id_dsa.pub surfer@M5base:/home/surfer/.ssh
surfer@M5base's password:
id_dsa.pub                                    100%  605     0.6KB/s   00:00

log into the ssh server as the user that will use the passwordless authentication, in my case, it’s “surfer”. Install the public key into the server by issuing this command:

surfer@M5base:~$ cd .ssh
surfer@M5base:~/.ssh$ cat id_dsa.pub >> authorized_keys

The above commands will add the public key into authorized_keys file. It is important to do add the key by using the above command so that any existing keys in the authorized_keys file are not overwritten.

update@10/0/2008

Sometime, the .ssh folder is not available, and you are required to create them manually. This may cause some problem regarding the access restriction of that folder. To create the folder, do the following:

surfer@M5base:~$ mkdir .ssh
surfer@M5base:~$ chmod -R 700 .ssh

Go here for more about the problem.

5. Test your connection
Try to log to the target ssh server, the output should be close to this:

ikhsan@M5mobile:~/.ssh$ ssh surfer@M5base
Linux M5base 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Oct 31 21:57:19 2007 from localhost
surfer@M5base:~$

Now you can test your setup by copying file from ssh client machine to the ssh server:

ikhsan@M5mobile:~$ scp w3sp_BigPianoAlbum.rar  surfer@M5base:/home/surfer
w3sp_BigPianoAlbum.rar                        100%   33MB  11.2MB/s   00:03

… and you’re done

Update@10/06/08

If you created the .ssh folder manually, you might run into some problem where the public key authentication is bypassed due to the security level of the .ssh folder. Go here for the solution regarding this problem

By ikhsan

6 thoughts on “Public Key authentication for passwordless/unattended/batch SCP/SSH session”
  1. Good stuff! Followed your instructions step-by-step in an solaris environemnt and it worked perfectly! Saved me a lot of headache! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.