1. I generate an RSA key:

ssh-keygen

When generating, leave the default file name, enter only the passphrase ( passphrase ).

2. Copy it to a remote server:

 ssh-copy-id -i ~/.ssh/id_rsa host.example.com

3. I am authorized:

 ssh host.example.com

4. There is a request for a code phrase; I enter it and authorization takes place. Next time during the session (until I log out (Logout)) when re-authorizing on the remote server, the code phrase is not requested, but authorization occurs immediately.

Questions

  1. So it should be? That is, it seemed to me that if I had already logged in once (I entered a passphrase), then this is no longer required, regardless of the session.

  2. How to make fully automatic authorization? That is, for example, so that after rebooting the computer, I simply dialed ssh host.example.com and ended up on a remote host, without entering a passphrase.

    2 answers 2

    So it should be? That is, it seemed to me that if I had already logged in once (I entered a passphrase), then this is no longer required, regardless of the session.

    It should be so. Code phrase - there is an additional stage of security. However, if you do not plan to lose the media with a private key, feel free to make a new key with an empty code phrase. Authorization will be completely automatic.

    Otherwise, it will be necessary to enter once per session, in other words, to be entered at login. Then what's the point of the key, if your secret phrase - and so secret? ))

    • Yes, I did just that ... I just didn't quite understand your question ... Can you reformulate it? - Roman Grinyov
    • 2
      I do not have a question, but an assertion: if you cannot keep the “private” (read, secret) key secret, there is a high probability that you will “pass” the spyons along with the key to the passphrase) Shyutka. Little, Gruzinsky. Just take care of your private key - and this will be enough to ensure an acceptable level of private privacy. - Majestio
    • one
      @RomanGrinyov, the encryption of the secret key (“code phrase”) for this purpose was implemented so that even if the file with the secret key fell into the hands of the attacker, he would not be able to use it. even carrying this file with you (for example, on removable media) does not insure against loss / theft (already the carrier itself). But the fact of encryption ensures that as long as you yourself do not tell anyone the "passphrase", no one can use your secret key, even having the file in which it is stored. - aleksandr barakin

    Next time during the session (until I log out (Logout)) when re-authorizing on the remote server, the code phrase is not requested, but authorization occurs immediately.
    So it should be? That is, it seemed to me that if I had already logged in once (I entered a passphrase), then this is no longer required, regardless of the session.

    you don’t mention the explicit use of the ssh-add program, so the very fact that when running $ ssh машина sometimes does not even ask for a password ( passphrase , “passphrase”) that encrypts the key looks strange.

    you may have openssh version installed on your system> = 7.2. you can clarify the version, for example, like this:

     $ ssh -V

    In this version, it became possible using the addkeystoagent option addkeystoagent automatically transfer the decrypted key to the ssh-agent program This is what is written in the change log (see also the description in $ man ssh_config and $ man ssh if you have version openssh 7.2 or higher):

    ssh (1): Add an AddKeysToAgent client to set it to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. If it is running, when it is running (if it is set to 'confirm').

    but by default this option is no (not transmit). it may be overridden in the global and / or user configuration file. see conclusion:

     $ grep -i addkeystoagent /etc/ssh/ssh_config ~/.ssh/config

    What kind of "beasts" are ssh-add and ssh-agent - I briefly described in this answer . after reading it, I hope it will become clearer why the decrypted key stored in the ssh-agent program memory can be used repeatedly during the x-session without having to enter a “passphrase” every time the $ ssh машина command starts, but the $ ssh машина will be “lost” when the x-session is restarted (i.e., after logout). because the ssh-agent process will be restarted, and will “forget” about all the decrypted keys.

    How to make fully automatic authorization? That is, for example, so that after rebooting the computer, I simply dialed ssh host.example.com and ended up on a remote host, without entering a passphrase.

    Here is my answer to an absolutely identical question.