This article is somewhat out of date. Modern OpenSSH distro's include 'ssh-copy-id', a single command to transfer, and append one's key to the remote list ofauthenores keys.
Also ssh-copy-id will not work if you don't have password authentication enabled. The only way to get ssh keys on top a ssh box without password auth, is to download them with some other method.
Install Keychain (http://www.gentoo.org/proj/en/keychain/), so you can actually use a passphrase like a smart person and not have to deal with ssh-agent and ssh-add nonsense.
1) You should definitely create a passphrase for your private key (you should only be asked to unlock it once due to ssh-agent). Otherwise if someone gets hold of your private key they can login to any machine you have set up an authorized_keys entry on.
2) use ssh-copy-id to install your public key on a remote (and fix up the permissions on ~/.ssh etc. which for me is the #1 case of key based login not working).
and fix up the permissions on ~/.ssh etc. which for me is the #1 case of key based login not working
DOH! I just spent the past 15 minutes trying to figure out why it wasn't working until I stumbled upon my .ssh directory having worldly permissions. Was just about to come here and post the same thing. chmod 700 is your friend!
ssh -vv (with more or fewer vs) is also your friend. IIRC it tells you about the permission error either there or in the sshd log, and you can also find a lot more errors in the -vv output.
You should run ssh -vvv on a normal, working connection at least once to get a sense of what normal output is.
Thanks for the cool explanation. I never really dug into ssh that much, just posting a helper to connect without password ;)
So basically ssh-agent should be always running and you add your key to it (via ssh-add) and you never enter your password again, but the key still is generated with a passphrase? Correct?
That's correct. And on OS X (at least on 10.5) you can put the key into your keychain and unlock it with your system password. Just make sure you lock your keychain when you don't need it.
He also flubbed using ssh-agent. Usually it is run from the login script once. You then do a ssh-add to add your identity to it. Once that is done you don't need to enter your password for that session anymore. You can even allow ssh on other systems to access your agent so you can ssh to another machine, ssh from that machine to a 3rd which will use your agent for the key info.
I connect to remote machines several times in a typical workday, and this helps to save a bit of time. Furthermore, it allows some non-obvious behaviour, like closing the connection as soon as I did what I wanted. This avoids leaving a ssh session open in which you may erroneusly type a command intended for your local machine. An "svn up" on the wrong machine car ruin your day.
Isn't that a bit of a security issue? One machine in the network hacked, they are all gone? Then again, hacker's could just install keyloggers if they get hold of one machine. But it would be a bit more effort.
So:
Step 1:
Step 2: Done.