Passwordless SSH Login is Easy to Set Up
If you have a Linux server then you know how tedious it is to enter your password every time you ssh login to your server and also every time you use scp utility to transfer files between your server and workstation. This guide explains how to set up passwordless ssh login so you don’t have to enter your password anymore. Besides, it add another security layer to your server from hackers.
2 Easy Steps to Set Up Passwordless SSH Login
Step 1: Generate a Private/Public Keypair on Your Workstation
Just enter the follow command in terminal. I assume you are using some kind of Unix-like OS on your workstation. Sorry Windows users, I’m not a Windows guy.
ssh-keygen -t rsa
-t stands for type. The above command generates a RSA type keypair. RSA is the default type, so you can also type ssh-keygen in terminal. By default the key is 2048 bits long, if you like more security then you can specify a 4096 bits key.
ssh-keygen -b 4096 -t rsa
Then hit enter to choose the default file to save your key. Next enter a good passphrase at least 20 characters long. The longer the better. The private key (your identification) will be save in .ssh/id_rsa under your home directory. The public key will be save in .ssh/id_rsa.pub file.
Generating public/private rsa key pair. Enter file in which to save the key (/home/matrix/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/matrix/.ssh/id_rsa. Your public key has been saved in /home/matrix/.ssh/id_rsa.pub. The key fingerprint is: e1:dc:ab:ae:b6:19:b0:19:74:d5:fe:57:3f:32:b4:d0 [email protected] The key's randomart image is: +---[RSA 4096]----+ | .. | | . . | | . . .. . | | . . o o.. E .| | o S ..o ...| | = ..+...| | o . . .o .| | .o . | | .++o | +-----------------+
You can see that your private key is encrypted.
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED
Step 2: Upload Your Public Key to Remote Server
This can done with ssh-copy-id command:
Enter the remote user’s password.
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys remote-user@remote-ip's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
The public key is stored in .ssh/authorized_keys file under the remote user’s home directory. Now ssh into the remote server
This time you need to enter your RSA key passphrase to unlock the private key. Once you entered the correct key passphrase, you are logged in. You only need to enter the passphrase once. Exit from the remote server.
Now ssh into the remote server again:
You can see that you are automatically logged into the remote server and you don’t have to type password or key passphrase any more. Also you don’t have type password or key passphrase to use scp command to transfer file. And that’s all because the key passphrase is stored in a keyring and the keyring is automatically available to the user when logged in on workstation. On ubuntu the keyring program is called seahorse.
From now on the communication between your workstation and server is encrypted using the public key. And only the private key can decrypt it. The public key is like a padlock that locks the message and a private key is like the key that unlocks the padlock. The private key identifies you to remote server, because only you have the private key. Don’t share your private key with anyone.
Tip #1: Disable Password Login
Although you can use SSH keys to log into remote server, you can still use normal password to login. You can verify this by creating a new user on your system:
sudo adduser newuser
Next switch to the new user
su - newuser
Now ssh into your remote host. You can see that password login is still working. To disable password login, edit /etc/ssh/sshd_config file on the remote host.
sudo vi /etc/ssh/sshd_config
Find this line:
Change it to:
Save the file and restart ssh service
sudo service ssh restart or sudo service sshd restart
Now if you don’t have ssh keys in .ssh directory, you will see the following error when you try to ssh into your remote host.
Permission denied (publickey).
That means the remote host only allow ssh login using ssh keys and do not allow password authentication.
Tip #2: Back-up Your Private/Public Keypair
Once you disable SSH password authentication, it is advisable to back-up your ssh keys. If you lose your keys you will be locked out your server. Back-up your private/public keypair to a safe location.
cp ~/.ssh/id_rsa* /path/to/safe/location/
You can copy the keypair to a new computer and ssh into your server using ssh keys. Once you copied the keypair to a new computer, you need to change the owner of the keypair to the user on the new computer.
sudo chown new-user:new-user id_rsa*
And then copy them to .ssh/ directory of the new user.
cp id_rsa* .ssh/
Now you can use ssh keys to log into remote server on the new computer. You can also safely backup your encrypted private key to online storage because it’s encrypted. But don’t transfer your decrypted private key via network.
Tip #3: Store Key Passphrase in SSH Agent
If you have two servers and you want to ssh into each other, then you may find after you followed the steps above you still need to enter the key passphrase every time you ssh into the other machine. That’s because your key passphrase is not stored by ssh agent.
Install and configure keychain on the ssh client
sudo apt-get install keychain
Edit .bash_profile or .profile file. Append the following text into it so these two commands will be executed every time the user login.
/usr/bin/keychain $HOME/.ssh/id_rsa source $HOME/.keychain/$HOSTNAME-sh
Now logout and log back in.
Last login: Thu Dec 17 20:38:39 2015 from 22.214.171.124 * keychain 2.7.1 ~ http://www.funtoo.org * Found existing ssh-agent: 17651 * Adding 1 ssh key(s): /home/<username>/.ssh/id_rsa Enter passphrase for /home/<username>/.ssh/id_rsa: * ssh-add: Identities added: /home/<username>/.ssh/id_rsa
When key chain is run, it checks for a running ssh-agent, otherwise it starts one. You need to enter the key passphrase this time. The key passphrase will be remembered across user logins, but when the system reboots, you have to enter it again.
Now as long as the ssh server has the public key and the ssh client you are working on right now has private/public keypair and keychain successfully configured, you can now ssh into the ssh server without typing key passphrase.
Tip#4: Chang Private Key Passphrase
If you ever need to change your private key passphrase, you can do so with the below command:
ssh-keygen -f ~/.ssh/id_rsa -p
Enter your old passphrase and then enter a new passphrase.
Tip #5: Command Alias
Who wants to type such as long command to log into a remote server every time? Luckily, Linux has a very neat command called alias that can be used to shorten a long command. You can think of it as a URL shortener. You can set up an alias like below.
alias server1='ssh remote-user@server1-ip'
Now type server1 in the terminal you will be able to log into remote server. But the alias is only vaild for one user login session. You can put the alias command to the user’s .bashrc file so it will be automatically executed when user login.
I hope this article helped you to set up passwordless ssh login.