Basics
To log into a system with your current username, just call ssh hostname
:
georg@erde:~$ ssh sonne
Passwort: ***********
georg@sonne~$
Note: the password will not be displayed (not even stars).
If you have a different account on the other system, prepend your
user name like in an e-mail address: ssh gw@sonne
.
With the command line option -X
(upper case X),
the X11 session will be forwarded over the SSH connection.
When starting a program with GUI,
it will be displayed on your local screen and your input
will be redirected to the programm running on the remote machine.
Using password-less login
SSH can create a pair of public and private keys to log
into systems without everytime entering the password.
Additionally, this comes handy for scripts where you
would never put your password in.
First, create a key pair:
It will ask for a name where to store the key files
and for a passphrase.
The phrase should be taken literally: this will be your
master key, don't just provide 8 characters (on none).
I will show how to use the ssh-agent
, so this passphrase
will only be entered once after login.
See man ssh-keygen
for more options.
Distributing the public key
The private key must be kept secret.
By default, it is stored in the hidden directory ~/.ssh/
in the file id_rsa
and only readable for the user.
(SSH will reject using it if the file is readable for more than the owner.)
The public key has the extension .pub (id_rsa.pub
).
To be accepted, it must be appended to the file ~/.ssh/authorized_keys
.
If your home directories are synchronized (e.g. via NFS),
just append it to the local file:
~$ cd .ssh
.ssh$ cat id_rsa.pub >> authorized_keys
Otherwise, the public key must be copied to the remote machine.
The tool ssh-copy-id
helps: just call it with the hostname
(or name@hostname, if the account is named differently):
georg@erde~$ ssh-copy-id mond
Password: ***********
Now try loggin into the machine...
georg@erde~$ ssh mond
georg@mond~$
Using the SSH-Agent to avoid the passphrase
If you're following the steps above, so far, you have only
replaced the (probably 8 character) password with a (according
to my suggestion much longer) passphrase.
But as promised, there's help:
$ ssh-agent
$ ssh-add
Passphrase: *************************
$ ssh sonne
The first line starts the SSH-Agent in the background.
Then ssh-add
registers your private keys with the agent.
It will ask for the passphrase.
From now on, every subsequent SSH will use the password-less
(and passphrase-less) login.
If your public key is not on the target system,
SSH falls back to asking for the password.
With the command line option -A
,
you can even forward the agent to a remote machine
and then login from there to the next machine
without entering a password (of -phrase) again.
More configuration for more convenience
SSH can be configured with the file ~/.ssh/config
.
Some global settings are:
ForwardAgent yes
ForwardX11 yes
These settings globally activate the command line options -A
and -X
.
Settings for specific target machines can be given:
Host work
User gw
Hostname mymachine.example.com
This would set an alias work
for gw@mymachine.example.com
.