In this article, we will learn how to enable password-less login on Linux using ssh key.
Using Password-less login with SSH key will increase the trust between two Linux servers.
Here are 4 steps to log in to Linux without the password.
- create SSH Key on Client
- Copy public key to remote server
- Disable password login on the server – optional
- login server with the private key
Create SSH Key on Client
We can use ssh-keygen command to generate SSH keys in Linux.
- Generate a key pair with the following command. The default SSH key type is RSA. Check this post to know which SSH Key type is more secure in Linux.
- Press Enter to confirm the default location (that is, ~/.ssh/id_rsa) for the newly created key.
- Enter a passphrase, and confirm it by entering it again when prompted to do so.
- Check the SSH public key file and private key file with ls command under ~/.ssh/ directory
- Change the permissions of the ~/.ssh/ directory and key files
Here are the commands we use for generating SSH keys.
# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):
The key fingerprint is:
SHA256:6ezTTbbipomsipqJrsmqHFkGeM0VMPDv24PhimnbD+Y john@TOCAO-M-F13P
The key’s randomart image is:
+—[RSA 4096]—-+
| ..o.o. |
|. + o |
|… + |
| .. . . |
| o . S |
| + ..o o |
| o o..oo. + . |
|+=o* oo=o.+ o |
|^==oE+= =*.. |
+—-[SHA256]—–+
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa.pub
$ chmod 600 ~/.ssh/id_rsa
Copy public key to remote server
There are two parts for this.
- Append the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the server-side.
- Change the permissions of the ~/.ssh/authorized_keys file and ~/.ssh using the following command on the server-side.
We can use these three commands to copy the public key to the remote server and change permission.
cat ~/.ssh/id_rsa.pub | ssh user@ssh-server.example.com “cat >> ~/.ssh/authorized_keys”
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 700 ~/.ssh
We can also use command ssh-copy-id for this.
$ ssh-copy-id -i keyfile user@hostname
Disable Password login on the server – optional
We need to change the sshd configuration to disable password login. This part is optional.
- Ensure this option “PasswordAuthentication no” in /etc/ssh/sshd_config in server
- Add this configuration “PubkeyAuthentication yes ” in /etc/ssh/sshd_config
- To enable the change, restart the SSH daemon with this command “systemctl restart sshd “
Now we can log in to the remote server without a password.
Login server with the private key
Use the key to log in to the SSH server as shown in the following example, which loads the key in file ~/.ssh/id_rsa and logs in as user user@ssh-server.example.com
ssh -i ~/.ssh/id_rsa user@ssh-server.example.com
Troubleshooting Guide for SSH login without Password
- most time the root user is not allowed to log in with ssh. This can be verified with the configuration in /etc/ssh/sshd_config file.
- check the log /var/log/messages. and /var/log/secure for the login issue
- check the permission of the ssh key directory and even the .ssh directory
- use ssh -vvvv to print debug info about access process
Related: