Enabling password-less login on Linux using SSH keys provides a more secure and convenient way to authenticate and access remote servers.
Here are 4 steps to log in to Linux without the password.
- create SSH Key on Client
- Copy public key to remote server
- Disable password login on the server – optional
- login server with the private key
Table of Contents
Create SSH Key on Client
We can use ssh-keygen command to generate SSH keys in Linux.
- Generate a key pair with the following command. The default SSH key type is RSA. Check this post to know which SSH Key type is more secure in Linux.
ssh-keygen -t rsa -b 4096 - Press Enter to confirm the location (the default is, ~/.ssh/id_rsa) for the newly created key.
- You can optionally set a passphrase for your private key. Enter a passphrase, and confirm it by entering it again when prompted to do so.
- Check the SSH public key file and private key file with ls command under ~/.ssh/ directory
- Change the permissions of the ~/.ssh/ directory and key files
For example:
# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):
The key fingerprint is:
SHA256:6ezTTbbipomsipqJrsmqHFkGeM0VMPDv24PhimnbD+Y john@TOCAO-M-F13P
The key's randomart image is:
+---[RSA 4096]----+
| ..o.o. |
|. + o |
|... + |
| .. . . |
| o . S |
| + ..o o |
| o o..oo. + . |
|+=o* oo=o.+ o |
|^==oE+= =*.. |
+----[SHA256]-----+
check the file permissions of directory and keys. Change them if needed with the following commands.
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa.pub
$ chmod 600 ~/.ssh/id_rsa
Copy public key to remote server
To copy a public key to a remote server, you can use the ssh-copy-id command. Here are the steps to follow:
- Open your terminal or command prompt.
- Use the following command to copy the public key to the remote server, replacing REMOTE_USERNAME with your username and REMOTE_HOST with the IP address or hostname of the remote server:
ssh-copy-id REMOTE_USERNAME@REMOTE_HOST
You may be prompted to enter your password for the remote server.
There are two purpose for ssh-copy-id command.
- Append the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the server-side.
- Change the permissions of the ~/.ssh/authorized_keys file and ~/.ssh using the following command on the server-side.
By combining these two purposes, ssh-copy-id simplifies the process of setting up SSH key authentication by handling both the copying of the key and the permissions configuration in a single command.
If the command is successful, it will copy your public key to the remote server and add it to the authorized_keys file, which allows you to authenticate without a password in future SSH connections.
If the command is not found, you might need to install the ssh-copy-id tool.
- Installing ssh-copy-id on Linux:
- On Debian/Ubuntu-based systems, use the apt-get package manager:
sudo apt-get install openssh-client - On CentOS/RHEL-based systems, use the yum package manager:
sudo yum install openssh-clients
- On Debian/Ubuntu-based systems, use the apt-get package manager:
- Installing ssh-copy-id on macOS:
- Use Homebrew, a popular package manager for macOS, to install ssh-copy-id:
brew install ssh-copy-id
- Use Homebrew, a popular package manager for macOS, to install ssh-copy-id:
- Installing ssh-copy-id on Windows:
- Windows doesn’t come with ssh-copy-id pre-installed, but you can use third-party tools like Git Bash:
- Install Git Bash, which provides a Bash-like environment for Windows.
- Once installed, you can use the ssh-copy-id command within the Git Bash terminal.
- Windows doesn’t come with ssh-copy-id pre-installed, but you can use third-party tools like Git Bash:
If you can not install this command, you can use the following three commands to copy the public key to the remote server and change permission manually.
cat ~/.ssh/id_rsa.pub | ssh [email protected] "cat >> ~/.ssh/authorized_keys"
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 700 ~/.ssh
Check out this article to learn more about ssh authorized_keys file
Disable Password login on the server – optional
We need to change the sshd configuration to disable password login. This part is optional.
- Ensure this option “PasswordAuthentication no” in /etc/ssh/sshd_config in server
- Add this configuration “PubkeyAuthentication yes ” in /etc/ssh/sshd_config
- To enable the change, restart the SSH daemon with this command “systemctl restart sshd “
Now we can log in to the remote server without a password.
Login server with the private key
Use the key to log in to the SSH server as shown in the following example, which loads the key in file ~/.ssh/id_rsa and logs in as user [email protected]
ssh -i ~/.ssh/id_rsa [email protected]
Troubleshooting Guide for SSH login without Password
- most time the root user is not allowed to log in with ssh. This can be verified with the configuration in /etc/ssh/sshd_config file.
- check the log /var/log/messages. and /var/log/secure for the login issue
- check the permission of the ssh key directory and even the .ssh directory
- use ssh -vvvv to print debug info about access process
Summary:
Enabling password-less login on Linux using SSH keys provides a more secure and convenient way to authenticate and access remote servers. Here are the steps to accomplish this:
- Generate SSH key pair:
- Open your terminal or command prompt.
- Use the ssh-keygen command to generate an SSH key pair. By default, this command generates a 2048-bit RSA key pair:
ssh-keygen -t rsa - You will be prompted to specify a file to save the key pair. Press Enter to accept the default location (~/.ssh/id_rsa) or provide a custom path if desired.
- Optionally, set a passphrase for your private key to add an extra layer of security.
- Copy the public key to the remote server:
- Use the ssh-copy-id command to copy your public key to the remote server. Replace REMOTE_USERNAME with your username and REMOTE_HOST with the IP address or hostname of the remote server:
ssh-copy-id REMOTE_USERNAME@REMOTE_HOST - Enter your password for the remote server when prompted.
- Use the ssh-copy-id command to copy your public key to the remote server. Replace REMOTE_USERNAME with your username and REMOTE_HOST with the IP address or hostname of the remote server:
- Disable password authentication (optional):
- For enhanced security, you can disable password authentication on the remote server and only allow SSH key authentication:
- Open the SSH server configuration file (/etc/ssh/sshd_config) on the remote server using a text editor.
- Locate the line that says #PasswordAuthentication yes and change it to PasswordAuthentication no.
- Save the file and restart the SSH server for the changes to take effect. The command may vary based on your Linux distribution, but it is usually one of the following: or
sudo service ssh restartsudo systemctl restart ssh
- For enhanced security, you can disable password authentication on the remote server and only allow SSH key authentication:
- Test password-less login:
- Now, you should be able to SSH into the remote server without entering a password:
ssh REMOTE_USERNAME@REMOTE_HOST
- Now, you should be able to SSH into the remote server without entering a password:
This list outlines the steps to generate an SSH key pair, copy the public key to the remote server, optionally disable password authentication, and test password-less login.
By following these steps, you can enable password-less login on Linux using SSH keys, providing a more secure and convenient method for accessing remote servers.
Related:
Da xie
Sunday 3rd of December 2023
It is very clear. Thanks for the guide.
Daniel Lim
Thursday 30th of November 2023
It should be sudo systemctl restart sshd not sudo systemctl restart ssh.