SSH without password from Windows/Cygwin



First of all the openSSH package must be installed on Cygwin.




Note that these explanations make reference to your "home" directory (written "HOME" or "~"). On UNIX machines (including Linux) this is the directory you land in when you login, and where you keep your files; this location is stored in the environment variable "HOME". Note that "HOME" is the name of the variable, and that $HOME is the value, e.g. HOME's value may be "C:\nifty". The natural HOME for the Windows user Nifty is the existing folder "Documents and Settings\Nifty" but Cygwin and other UNIX related applications are not necessarily happy with pathnames that include blanks, so you should create your own HOME directory for Cygwin as described below.



Windows only


SSH can give you authenticated and encrypted connections to remote computers. If you set up keys you can make these connections without passwords. Installing Cygwin is pretty easy but the home directory and public/private key business, on Cygwin, is something of a pain; it's going to push the "beginner" envelope but is doable. If you don't mind typing passwords with every connection, you can skip all the Windows HOME business below after installing and running Cygwin. If for some reason you do not wish to install Cygwin on Windows you may want to consider putty. I do not cover how to use putty here.


Installing Cygwin on Windows: This is pretty straightforward. Download the Cygwin installation wizard setup.exe from the Cygwin site and double-click on it. Most of the default selections in the wizard are fine. Select a place to install Cygwin (recommended: C:\cygwin) and select a place to put the installation files (the same place works). Choose an ftp site from the list and then review the additional packages you want installed. You must select at least the ssh package from the Net section (and the cvs package from Devel if you know you will need cvs); these are not selected by default. You do not need the sources.


Running Cygwin on Windows: You start a Cygwin console from the Start menu, and type the commands in that window. (If the shell does not open in the HOME directory, see below). The ls command lists files and folders ("directories" in UNIX lingo). The cd command enables you to change directories, "cd .." moves you up a directory. The Cygwin console is much like a regular UNIX terminal and may be customized on startup with .bash_profile and .bashrc files in your HOME directory. Search the web for more about UNIX for beginners. You can see the (terse) documentation for any command by using the "man" command, for example, "man ls" or "man ssh-keygen".


By the way, Cygwin comes with a small program to set up ssh for you. The command is ssh-user-config, which will create keys and a .ssh directory in your HOME directory. However, it will not create the HOME directory, nor fix your /etc/passwd, nor put the public key on the remote computer, all of which are necessary and described below. I've never used it.


Creating the home directory with Cygwin: The Cygwin installation folder contains folders "usr" and "bin". If there is not one already, add a folder called "home" and in that folder add a folder with some name, typically your user name, e.g., "nifty". This will be the folder where ssh.exe will look for the .ssh folder containing your keys; see below. (Cygwin thinks your home is where the line in /etc/passwd says it is, see below). Note your home directory does not have to be in Cygwin's "/home" (mine is not), you can put it anywhere, e.g., C:\nifty. To do this, you will have to start a Cygwin console and run


      $ cd /

      $ mkdir home

      $ cd home

      $ ln -s /cygdrive/c/nifty nifty

    The "ln" command is making a symbolic link, like a Windows shortcut, from Cygwin's /home/nifty to your C:\nifty. Note that "/cygdrive/c/nifty" is Cygwin's way of saying "C:\nifty". If your HOME is on another drive, say D:, use the cygwin prefix /cygdrive/d.


Setting the HOME environment variable on Windows: For Win2K/XP right click on "My Computer", click on "Advanced" and "Environment variables". Add a personal environment variable HOME with value, e.g., C:\cygwin\home\nifty (or if you did the ln business above, C:\nifty). You shouldn't need to reboot.


For Win9x/Me, you must put a line in your autoexec.bat file (usually C:\autoexec.bat) which sets it, e.g.,


      set HOME=C:\cygwin\home\nifty


      set HOME=C:\nifty

    and reboot. Be sure to edit the autoexec.bat with a text editor (like Notepad) and not a word processor (like Word).


By the way, environment variables are useful for a variety of programs; this is where you would set your CVS_RSH, ANT_HOME, JAVA_HOME, and JIKESPATH if you were a Java programmer using cvs with ssh. If you wanted Cygwin commands available from DOS prompts you would append ";C:\cygwin\bin" to your PATH variable.


Checking the home in the /etc/passwd file on Windows: In your cygwin root install folder (C:\cygwin) there is a folder etc/ containing a file "passwd" (if this file is missing it can be created with the cygwin command "makepasswd"). The lines in this file contain fields separated by colons (:). In a new cygwin installation the last line will be for your Windows user name. The last field will be "/bin/bash". Make sure the next-to-last field in the line for your Windows user name is "/home/nifty", (it's OK if "nifty" is a link). Do not use Windows "C:\" notation. Be sure to edit the /etc/passwd file with a text editor (like Notepad or Wordpad) and not a word processor (like Word).


If the Cygwin shell doesn't open in $HOME: On some some of my installations the Cygwin Bash shell did not open in $HOME but in /usr/bin (the prompt was "/usr/bin $", not, e.g., "nifty/ $"). One way to fix this is to put a file ".bash_profile" constaining the line "cd $HOME" into your $HOME directory. This is another file which must be created with a text editor.



Linux and Windows


OpenSSH to OpenSSH (ssh2)

Check that ssh functions at all: SSH can replace telnet even without keys. Suppose you are connecting to the remote computer as user "dude". Run


      $ ssh

    The ssh will ask if you want to keep connecting, type "yes", and then it should ask for your password and open a shell in dude's home directory on foobar, just like telnet. If this fails, there is a problem somewhere. Make sure everything is set up right on your end, and also make sure that foobar is accepting ssh connections. If it's not, you're wasting your time.


Once ssh is functioning we will set up the keys so it will no longer be necessary to send passwords. If you are curious about the theory of this then read up on "public key cryptography".


Create your keys: You need to create private and public ssh keys and put them in the proper place with the proper permissions. In your home directory create a folder .ssh ($ mkdir .ssh), if there is none. Create the keys with the command


      $ ssh-keygen -t dsa

    The ssh-keygen program will ask for a passphrase, just hit the "Enter" key unless for some reason you know you want a passphrase. This creates the keys id_dsa and and puts them in .ssh/. The private key id_dsa must be readable only by you; change its permissions with

      $ chmod 600 .ssh/id_dsa


Put the public key on the remote computer: In this section we are assuming the remote computer is also running OpenSSH. Somehow, you must get the .ssh/ key onto the remote computer, whether by email, ftp, carrying it over on a floppy (sneakernet), etc.; the cool way to do it is to use scp, which was installed along with ssh. Suppose the remote computer is named, and your account there is "dude". To copy the file to foobar, run



      $ scp .ssh/

    Don't forget the trailing colon. You will be asked for dude's password on foobar before the copying commences. The file will be copied to dude's home directory on foobar.


Install the public key on the remote computer: (We assume the remote computer is running OpenSSH on Linux or UNIX!) Once is on the remote computer, login into the remote computer (you can use shh to login as described above). From your home directory (where you should see your newly arrive create a .ssh folder if none exists. Then append your to a file in .ssh with


       $ cat >> .ssh/authorized_keys

    This will create the file authorized_keys if none exists. The key may be removed from the remote computer's home directory, if you like. The .ssh folder on the remote computer must have the correct permissions, you may set them with

       $ chmod 4755 .ssh

    You can also try: chmod -R go-rw ~/.ssh on the remote computer.


    Checking the password-less connection: Now the command


       $ ssh

      should give you a password-less connection to Likewise, scp should be password-free.


By the way, all the commands you do by first logging into the remote computer can be done remotely using ssh. See the documentation for details.





Only two things are infinite: the universe and human stupidity. I'm not sure about the former.
-- Albert Einstein



Back to my IT notes in Research