Nerdrium Home



Web Design

Case Mods





My Blog




Secure Copying without a Password

by Michael Greifenkamp (June 2nd, 2004)

I want to make tape archive files (.tar) for several important directories on my web server at work. Eventually I am going to write a script to automate the backup of these directories, but before I can do that, I need to make sure that I can connect from the Linux server to my OS X machine without entering a password. It is likely that I will set the script to run in the middle of the night, and I will not be around to be entering a password every evening at that time!

I am going to start by creating a new user just for this purpose. Since I will be doing things on both the G5 and the remote linux server via terminal windows, I think that I will differentiate these by making the G5 commands gray and the Linux commands dark red, just for clarification.

I will start by making a new user on the Linux server...

# su -l
(enter root password)
# useradd -m callimachus

...and set a password right away by doing:

# passwd callimachus

and entering a new password (twice for verification). Now I need to add callimachus to the web and mysql groups, so that the tarballs can be created without permissions problems. If you would like more of an explanation of how to add a user to a group, see this article.

# cd /etc
# vi group

Once the file is written, go ahead and leave superuser mode.

Turn your attention back to the OS X machine for a moment. Apparently OS X does not use either the adduser or useradd utilities in the terminal, and rather than research it, I was lazy and just opened the control panel "Accounts" and added the user callimachus that way.

Once that is taken care of, it is time to generate the keys. Log into the Linux machine as the new user--in my case, callimachus. (Incidentally, Callimachus was a librarian and cataloger in the Alexandrian Library in the 3rd century B.C.--seemed fitting for the user that will be responsible for keeping track of multiple tape archive files, eh?).

# ssh-keygen -t rsa
(hit enter three times--the default location is okay, and we do not need a passphrase for the key itself...)

Now note the name of the key--which will end in ".pub"--and its location. We need to copy this key over to the OS X machine so that it will recognize our new user as someone to be trusted. I am using as the IP address of the OS X machine--obviously use the address of your machine in place of the IP address that I show below.

# cd ~/.ssh
# scp

The "." after the colon tells it to copy the file into the user's home directory on the remote machine. When you hit enter, you will probably be given the standard "Unknown host... Do you want to connect?" question, to which you should answer "yes," of course. Then enter your password--if all goes well, this will be the last time you will have to do so.

Now, log back into the OS X machine (it would be helpful to have desktop space to have multiple terminal windows open at once). If you have not connected remotely to anything from the OS X machine, you will not have a .ssh directory, so you will need to create one before continuing. Then copy the public key into that directory and rename the key file "authorized_keys."

# mkdir ~/.ssh
# cp .ssh
# cd .ssh
# mv authorized_keys
# chown callimachus authorized_keys

Now, if you already have a .ssh directory, but no "authorized_keys" file, do everything but make the .ssh directory above. If, however, you not only have a .ssh directory, but already have a file called "authorized_keys" we'll need to append the new key into that file. Do this next part only if you already have a file ~/.ssh/authorized_keys:

# cd ~
# cat >> .ssh/authorized_keys

Now, go back and terminal in to the Linux box, or just go back to that window if you hopefully still have it open, and we will try to copy the key file again (just as a test) and hopefully it will do it without asking for a password.

# cd ~/.ssh
# scp

Poof! (?) The file should have copied without asking for a password. Now when we write the automated script later, you will not have to come in at work at 2:00 a.m. and enter a password. Enjoy your sleep.