Passwordless SSH login
Hate typing your SSH password every time you need to login remotely to your machine? Set up public key authentication, and you can securely login without ever having to type a password.
For this guide, let's say I have two machines, a laptop and a desktop. I move around a lot with my laptop (SSH client), and frequently need to access files or run commands on my desktop (SSH server) but hate typing the password to connect each time.
Ensure proper configuration
Assumption: OpenSSH is used to login remotely using a password. If not, usually all you have to do is install openssh-server on the server and openssh-client on the client. You might also have to open up TCP port 22 on the server if that's not done for you.
Pretty much all modern distros (certainly all the popular ones) will have pubkey authentication enabled in the SSH configuration. On the server, it's enabled as long as you do NOT see this line in /etc/ssh/sshd_config:
On the client, pubkey authentication is enabled as long as that line appears in neither /etc/ssh/ssh_config nor ~/.ssh/config.
Generating a public/private key pair
To begin setting up public key authentication, you'll need to first generate public and private keys on the client. Generating a key pair is simple. Just run ssh-keygen and push enter a lot to accept the defaults:
[vikas@client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vikas/.ssh/id_rsa):
Created directory '/home/vikas/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vikas/.ssh/id_rsa.
Your public key has been saved in /home/vikas/.ssh/id_rsa.pub.
The key fingerprint is:
2b:7d:96:a2:c7:d9:67:6f:9e:d7:0d:f2:07:5a:77:18
Now, in ~/.ssh/, you'll have two files. id_rsa is the private key, which you must keep secret. id_rsa.pub is the public key, which we're going to copy to the server.
Putting the key on the server
Now we need to copy the public key to the server and add it to the list of authorized keys. First, scp the key to the server:
[vikas@client ~]$ scp ~/.ssh/id_rsa.pub vikas@serverIP
vikas@serverIP password:
id_rsa.pub 100% 393 0.4KB/s 00:00
Next, log on to the server and append the public key to the server's authorized_keys file:
[vikas@client ~]$ ssh vikas@serverIP
vikas@serverIP password:
Last login: Sun Nov 30 16:04:12 2014 from client.vikas
[vikas@serverIP ~]$ cat id_rsa.pub >> ~/.ssh/authorized_keys
[vikas@serverIP ~]$ rm id_rsa.pub
Done!
Now if you try to make an SSH connection, the server will have the client's public key and the client will have its private key, and magic will happen. You should not be prompted for a password any more:
[vikas@client ~]$ ssh vikas@serverIP
Last login: Sun Nov 30 16:08:55 2014 from client.vikas
[vikas@serverIP ~]$
ssh, scp, sftp, and any GUI tools built on top of these (like KDE's fish KIOslave) will no longer prompt for a password.
One caveat
I want to point out one more thing. The most common cause for SSH public key authentication mysteriously not working is incorrect file permissions on the ~/.ssh/ files. As a general rule, your file permissions (on both machines) should be at least as restrictive as:
~/.ssh/ rwx------ (700)
~/.ssh/authorized_keys rw-r--r-- (644)
~/.ssh/id_rsa rw------- (600)
~/.ssh/id_rsa.pub rw-r--r-- (644)
Hate typing your SSH password every time you need to login remotely to your machine? Set up public key authentication, and you can securely login without ever having to type a password.
For this guide, let's say I have two machines, a laptop and a desktop. I move around a lot with my laptop (SSH client), and frequently need to access files or run commands on my desktop (SSH server) but hate typing the password to connect each time.
Ensure proper configuration
Assumption: OpenSSH is used to login remotely using a password. If not, usually all you have to do is install openssh-server on the server and openssh-client on the client. You might also have to open up TCP port 22 on the server if that's not done for you.
Pretty much all modern distros (certainly all the popular ones) will have pubkey authentication enabled in the SSH configuration. On the server, it's enabled as long as you do NOT see this line in /etc/ssh/sshd_config:
On the client, pubkey authentication is enabled as long as that line appears in neither /etc/ssh/ssh_config nor ~/.ssh/config.
Generating a public/private key pair
To begin setting up public key authentication, you'll need to first generate public and private keys on the client. Generating a key pair is simple. Just run ssh-keygen and push enter a lot to accept the defaults:
[vikas@client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vikas/.ssh/id_rsa):
Created directory '/home/vikas/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vikas/.ssh/id_rsa.
Your public key has been saved in /home/vikas/.ssh/id_rsa.pub.
The key fingerprint is:
2b:7d:96:a2:c7:d9:67:6f:9e:d7:0d:f2:07:5a:77:18
Now, in ~/.ssh/, you'll have two files. id_rsa is the private key, which you must keep secret. id_rsa.pub is the public key, which we're going to copy to the server.
Putting the key on the server
Now we need to copy the public key to the server and add it to the list of authorized keys. First, scp the key to the server:
[vikas@client ~]$ scp ~/.ssh/id_rsa.pub vikas@serverIP
vikas@serverIP password:
id_rsa.pub 100% 393 0.4KB/s 00:00
Next, log on to the server and append the public key to the server's authorized_keys file:
[vikas@client ~]$ ssh vikas@serverIP
vikas@serverIP password:
Last login: Sun Nov 30 16:04:12 2014 from client.vikas
[vikas@serverIP ~]$ cat id_rsa.pub >> ~/.ssh/authorized_keys
[vikas@serverIP ~]$ rm id_rsa.pub
Done!
Now if you try to make an SSH connection, the server will have the client's public key and the client will have its private key, and magic will happen. You should not be prompted for a password any more:
[vikas@client ~]$ ssh vikas@serverIP
Last login: Sun Nov 30 16:08:55 2014 from client.vikas
[vikas@serverIP ~]$
ssh, scp, sftp, and any GUI tools built on top of these (like KDE's fish KIOslave) will no longer prompt for a password.
One caveat
I want to point out one more thing. The most common cause for SSH public key authentication mysteriously not working is incorrect file permissions on the ~/.ssh/ files. As a general rule, your file permissions (on both machines) should be at least as restrictive as:
~/.ssh/ rwx------ (700)
~/.ssh/authorized_keys rw-r--r-- (644)
~/.ssh/id_rsa rw------- (600)
~/.ssh/id_rsa.pub rw-r--r-- (644)
