The step by step instructions for the impatient.
Ssh (Secure shell) provides a means for secure connection
to a remote machine by encrypting some of the information transmitted
(e.g. the password). It also allows the creation of keys. Keys are a mechanism which
allows you to login without having to type a password. In this
sense, it's more secure to use keys. However, you need to be careful
with where you leave your keys, as you do with your home's and
car's.
The concept is similar to actual keys: if the keys and the door
lock match, you can get in. If not, bad luck. How does it work? you
create the keys on your local machine (which we are going to call
"MyDesktop"). This will generate two files with random numbers: one of
them containing information that will remain in MyDesktop, and the
other which you will copy to the remote machine (which we will call
"OurServer"). When you try to login from MyDesktop to OurServer,
OurServer sends back the key you previously copied. If MyDesktop
decodes the key and matches it against the information it has, then it
sends the positive result to OurServer, which happily accepts the
connection. If the match doesn't happen, OurServer gives you an
alternative before denying the connection: you can type your password.
Notice that in the first case you logged in without a need to type
your password. You just typed "ssh OurServer", and the machines,
transparently to you, exchanged information.
The issue, however, about the SCS nevironment is that home directories are usually on AFS (Andrew File System). If your home directory is on AFS, you need Kerberos authentication to access files. When you login with keys, the shell does not do any Kerberos authentication. Therefore, AFS will not let you access the directory $HOME/.ssh, and your login will fail. Moreover, since permissions on AFS are set on a directory basis and not on a file basis, and AFS ignores the Unix permissions, your directory .ssh may be accessible from outside if you are not careful enough. In any case, considering that you need to avoid the need for Kerberos authentication, you have two possible solutions: ask facilities to change your home directory to a local directory on the machine you want to login to (not the easiest solution); or you can create a folder .ssh in a local directory in a networked machine and create a link from your AFS home directory to that folder. The latter has the advantage (or disadvantage, depends on you) that you will be able to login to any machine without typing your password, provided that your home directory is on AFS.
Now you are thinking, "I'm tired of typing passwords, how can I do that?". CMU's current servers use ssh protocol 2. Some old servers still use ssh protocol 1 (RSA1). This will affect the key creation and the files you need to copy.
Anyway, here you are the step by step
instructions:
$HOME/.ssh/id_dsa and
$HOME/.ssh/id_dsa.pub. Notice that the directory .ssh
is hidden in unix. Also, and this is very important: make sure that
only you have access to $HOME/.ssh! In a normal unix filesystem,
this is guaranteed by setting the permissions to
rwx------. This is the default when .ssh is
created. When creating the ssh keys, type ENTER when prompted for a passphrase.
ssh-keygen -t dsa
$HOME/.ssh/id_dsa on MyDesktop, and keep it safe. Anyone
with this file can login to any machine where you placed your keys
without typing a password.
$HOME/.ssh/id_dsa.pub to OurServer, to the directory named
$HOME/.ssh. If the directory does not exist, create it first.
scp ~/.ssh/id_dsa.pub Ourserver:.ssh/my_temp_id_dsa.pub
identity and identity.pub
instead of id_dsa and id_dsa.pub. Other than
these differences, the steps are the same.
$HOME/.ssh/authorized_keys in the remote machine.
cat ~/.ssh/my_temp_id_dsa.pub >> ~/authorized_keys
.ssh to a networked local directory. If you do
not have a directory in a local partition, ask your boss.
mv ~/.ssh /net/AnotherServer/usr1/your_userid/
.ssh.
ln -s /net/AnotherServer/usr1/your_userid/.ssh ~/.ssh
You should now be able to login from MyDesktop to OurServer without
typing a password.