(!) ?/Discussion

How to setup an SSH key-based authentication as well how to connect to your server or workstation without entering a password.

Contents

  1. How to Setup SSH Passwordless Login
    1. Check for existing SSH key pair
    2. Generate a new SSH key pair
    3. Copy the public key
    4. Login to your server using SSH keys
    5. Optional 1: Adding security disabling SSH Password Authentication
    6. Optional 2: Troubleshooting Remote Server File Permissions
    7. Resources

How to Setup SSH Passwordless Login

The following steps will describe the process for configuring passwordless SSH login: Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys.

Check for existing SSH key pair

Run the following ls command to see if existing SSH keys are present: 

ls -al ~/.ssh/id_*.pub

If there are existing keys, you can either use those and skip the next step or backup up the old keys and generate a new one.

If you see "No such file or directory" or "no matches found" it means that you do not have an SSH key and you can proceed with the next step and generate a new one.

Generate a new SSH key pair

The following command will generate a new 4096 bits SSH key pair with your email address as a comment: 

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"

Press Enter to accept the default file location and file name:

Next, the ssh-keygen tool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use a passphrase just press Enter. 

Enter passphrase (empty for no passphrase):

To be sure that the SSH keys are generated you can list your new private and public keys with: 

ls ~/.ssh/id_*

Output:

/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub

Copy the public key

Now that you have generated an SSH key pair, in order to be able to login to your server without a password you need to copy the public key to the server you want to manage.

a) The easiest way to copy your public key to your server is to use a command called ssh-copy-id. On your local machine terminal type: 

ssh-copy-id remote_username@server_ip_address

You will be prompted to enter the remote_username password.

Once the user is authenticated, the public key will be appended to the remote user authorized_keys file and connection will be closed.

b) If by some reason the ssh-copy-id utility is not available on your local computer you can use the following command to copy the public key: 

cat ~/.ssh/id_rsa.pub | ssh
remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700
~/.ssh && cat >> ~/.ssh/authorized_keys && chmod
600 ~/.ssh/authorized_keys"

Login to your server using SSH keys

After completing the steps above you should be able log in to the remote server without being prompted for a password.

To test it just try to login to your server via SSH: 

ssh remote_username@server_ip_address

If everything went well, you will be logged in immediately.

Optional 1: Adding security disabling SSH Password Authentication

To add an extra layer of security to your server you can disable the password authentication for SSH.

Before disabling the SSH password authentication make sure you can log in to your server without a password and the user you are logging in with has sudo privileges.

Log into your remote server with SSH keys, either as a user with sudo privileges or root: 

ssh sudo_user@server_ip_address

Open the SSH configuration file /etc/ssh/sshd_config, search for the following directives and modify as it follows: 

nano /etc/ssh/sshd_config

Add the following line: 

PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no

Once you are done save the file and restart the SSH service. 

sudo systemctl restart ssh

Optional 2: Troubleshooting Remote Server File Permissions

File permissions on the remote server may cause issues with passwordless SSH login. This is a common issue with older versions of SSH.

If you are still prompted for a password after going through all the steps, start by editing file permissions on the remote server.

Edit file permissions with the following command: 

ssh [remote_username]@[server_ip_address] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

Enter your password when prompted. There will be no output if the action was successful. The issue should be resolved now.

Resources