How to ssh to remote web server without using a password

sshterminalunix

I'm new to OS X.

As per title, I'm having trouble connecting to my web server through SSH.
My server accepts keys and we don't use passwords.
I've come from windows, and on windows I used PuTTY to connect to my server using a .ppk file generated using PuTTYGen.

On the Mac, I've generated using ssh-keygen -t rsa -b 2048 and made a key.ppk file in ~/.ssh and pasted the contents of my Windows .ppk file into it.

I also made a config file with the following contents…

Host domain.com
  IdentityFile ~/.ssh/key.ppk
  User username

When I try to connect, Terminal prompts me for a password (why?) then when I enter nothing and press ok it fails with message

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Any help on what I'm doing wrong will be great!
Thanks for reading and thanks in advance for any tips.

Best Answer

On Reusing Your Windows `key.ppk` File

The PPK file is a PuTTY-specific private key. It's not a portable private key that works with any ssh-based application. It just works with PuTTY. You need to convert it first. I've found some instructions for converting it to a proper public/private key pair here. You'll need to do this from your Windows machine.

That will give you a private key, key.ssh, that will work with ssh on your Mac. Put the key.ssh file in your ~/.ssh/ directory. Make sure the permissions are correct:

% chmod 400 ~/.ssh/key.ssh

And then you can use it with your ~/.ssh/config file like so:

Host domain.com
  IdentityFile ~/.ssh/key.ssh
  User username

If you no longer have access to your Windows machine you'll need to generate a fresh public/private key pair to use with your web server.

On Generating a Fresh Keypair To Use With Your Mac

Honestly, this is the best way to go here.

Password-less authentication with shared keys requires that both machines have a piece of the shared/public key pieces. Here's a complete recipe for setting up a shared key authentication scheme with two servers. It's not really OS X-specific. It's ssh-specific.

These instructions assume host1 is your Mac and host2 is your web server.

Generate a shared key on host1 (the shared key will be /Users/you/.ssh/webserver.pub and the private key will be /Users/you/.ssh/webserver):

% ssh-keygen -t rsa -b 2048 -f ~/.ssh/webserver
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in webserver.
Your public key has been saved in webserver.pub.
The key fingerprint is:
98:b7:fa:0f:0d:e7:7f:50:cc:9b:b4:57:db:8d:b4:03 ian@Ian-Chesals-iMac.local
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|             o   |
|       o    E * .|
|      o S .  = *=|
|       . *  . B.+|
|        o o  . o |
|       . . .  .  |
|      ..... ..   |
+-----------------+

Note: I didn't enter a password for the key because I don't want to have to use a password when I use the use.

Now you need to append the ~/.ssh/webserver.pub public key to the ~user/.ssh/authorized_keys file on host2, your webserver.

% ssh user@host2 'mkdir ~/.ssh;echo '`cat ~/.ssh/webserver.pub`' >> ~/.ssh/authorized_keys'

For this to work you will need password access to the remote host. If you don't have this you can give ~/.ssh/webserver.pub to someone who does have access to the box and ask them to append it to the authorized_keys file for you perhaps. Or do it from your windows machine where you still have access.

Now make sure your private key is safe on your Mac:

% chmod 400 ~/.ssh/webserver*

ssh can get complain-y if your private/public keypairs are world readable or writeable.

Finally, you can add the following to your ~/.ssh/config file to invoke the right key combination when you try to ssh in to your web server:

Host domain.com
  IdentityFile ~/.ssh/webserver
  User username

This will get you the password-less, keypair-based authentication you desire.

Related Solutions

Can connect over SSH from Mac to linux

I noticed in the debug output that there is mention of port '22' even though I specified '2222'. It like you need to put a '-p' flag in when using terminal:

ssh -p 2222 myname@xx.xx.xx.xx

This seems a bit weird as with other terminals I was using:

ssh myname@xx.xx.xx.xx:2222

Windows Putty connect to OSX SSH Server with SSH key

You will need to use a program called PuttyGen.exe on the Windows side to generate a public and private key.

Using the "Generate" button, generate the keys using the above program. You will then need to move the public key that is generated to your mac. Save a copy of the private key to use later using the "Save private key" button.

On your windows machine copy the contents of your public key exactly and paste them in the authorized_keys file you will create below. The easiest way I think is to open an ssh connection using Putty to your mac machine, the first time you will have to enter a username and password. Then create the folders and file structure and use an editor to move the contents. From the putty terminal window connected to your mac enter:

sudo mkdir ~/.ssh
sudo touch ~/.ssh/authorized_keys
sudo chmod 600 ~/.ssh/authorized_keys

Then the editing part of the file you created:

vim ~/.ssh/authorized_keys

Press the i key to insert text. Paste in your public key, and press the keys esc then, :wq to save it.

Now you can re-open Putty and create a new session. On the left hand tab expand SSH and select the Auth tab. Towards the bottom you will need to browse and load in the Private key that you saved earlier.

Putty Auth

I got most of this from the help file in PuttyGen.exe the first time I did it. When you open Puttygen.exe there is a Help tab up top.

PuttyGen.exe download