Traditional password based logins are a thing of the past, especially when it comes to remote server management. These days, sysadmins prefer password-free logins into the servers for a secure and streamlined experience.
SSH is one of the best ways to handle tasks such as automated backups, file synchronization, and remote server access and management. Traditionally, SSH relied on passwords, but now there’s a better way: passwordless SSH login using public key authentication.
In this tutorial, we will discuss how to set up a passwordless SSH login, eliminating the risks associated with password-based authentication. However, before that, let us take a quick look at the prerequisites.
Table Of Contents
- The Prerequisites to Set Up a Passwordless SSH Login
- How to Set Up a Passwordless SSH Login
- Step #1: Verify Current SSH Keys
- Step #2: Generate an SSH Key Pair
- Step #3: Choose the Save Location
- Step #4: Set a Passphrase (Optional)
- Step #5: Key Generation Confirmation
- Step #6: Verify Key Generation
- Step #7: Move the Public Key to the Remote Server
- Step #8: Log in to the Server Without a Password
- Troubleshoot Remote Server File Permissions
- Conclusion
- FAQs
The Prerequisites to Set Up a Passwordless SSH Login
Before moving into the setup process, ensure you have the following:
- A user account with sudo or administrative privilege.
- Terminal or command line access
- Access to local and remote servers
- An SSH client (Usually pre-installed on most mainstream Linux distributions)
How to Set Up a Passwordless SSH Login
Setting up a passwordless SSH login enables a seamless, secure, and reliable login.
Follow these steps to set up a passwordless login on the remote servers.
Step #1: Verify Current SSH Keys
In most Linux distributions SSH keys are already generated.
You should start by verifying the current SSH keys. For this, execute the following command in the terminal:
# ls -al ~/.ssh/id_*.pub
The command lists the files in your hidden SSH directory, indicating the SSH keys that already exist. You can back them up or create a new pair to overwrite the old ones.
However, if the output is empty, you have to generate a new SSH key pair.
Step #2: Generate an SSH Key Pair
To configure passwordless SSH login, you’ll need an SSH key pair on your local system.
Here, we recommend generating a 4096-bit key pair. You can replace 4096 with your desired key pair if preferred.
Execute the following command to generate a key pair.
# ssh-keygen -t rsa -b 4096 -C "[email protected]"
Replace 4096 with your desired key pair and [email protected] with your email address.
Step #3: Choose the Save Location
When prompted, choose your desired location to save your keys. Press Enter to accept the default location.
Step #4: Set a Passphrase (Optional)
Next, you will be prompted to set a passphrase.
A passphrase is like a password for your key, adding an extra layer of security. While optional, we recommend using a strong passphrase, especially if your system is compromised.
Many users consider the passphrase as an additional step and choose to avoid it. However, it can significantly improve your key pair’s security.
If you choose to skip the passphrase, simply press Enter.
Step #5: Key Generation Confirmation
Once the keys are generated, the output displays the location where the private and public keys are stored, along with the key fingerprint.
Step #6: Verify Key Generation
Next, verify if the key pairs are generated successfully. For this, run the following command to check the key pairs:
# ls -al ~/.ssh/id_*.pub
The output lists the paths to the private and public keys
Step #7: Move the Public Key to the Remote Server
Now that you have SSH keys generated, you need to upload the public SSH key to a remote server. You can opt for the following methods to upload the SSH keys to a remote server:
Upload Public Key With the ssh-copy-id Command
This method offers a simpler approach that most experts recommend. The ssh-copy-id command automates copying your public key to the remote server’s .ssh/authorized_keys file.
Open the terminal and execute the following command to connect to the remote server and upload the public key.
# ssh-copy-id [remote_username]@[server_ip_address]
Replace [remote_username] with your username on the remote server and [server_ip_address] with the server’s IP address.
You’ll be prompted to enter your password for the remote user.
Once your ID is validated, the ssh-copy-id command will automatically copy the public key to the .ssh/authorized_keys file on the remote server.
Upload Public Key Using the cat Command
While less convenient, the cat command offers a solution to the challenge of uploading the public key to the server.
Establish a connection to the remote server and create the .ssh directory (if it doesn’t exist) using the following command:
# ssh [remote_username]@[server_ip_address] mkdir -p .ssh
Next, enter the password for the remote user when prompted.
Upload the public key from the system to the remote server. This command specifies that the key will be stored in the authorized_keys file within the .ssh directory:
# cat ~/.ssh/id_rsa.pub | ssh [remote_username]@[server_ip_address] 'cat >> .ssh/authorized_keys'
Step #8: Log in to the Server Without a Password
With the SSH key pair generated and the public key uploaded to the remote server, you can now connect to your remote server without a password.
We recommend the following command to verify that you can log into the server without requiring a password:
# ssh [remote_username]@[server_ip_address]
If everything is set up appropriately, you should be logged in to the remote server without being prompted for a password.
Troubleshoot Remote Server File Permissions
In rare cases, issues with file permissions on the remote server can hinder passwordless SSH login, particularly if you are using an older SSH version.
If you’ve followed the guide and are still prompted for a password, here’s how to adjust file permissions on the remote server.
Step #1: Connect to the Remote Server
Establish a connection to the remote server using your existing SSH credentials (username and password).
Step #2: Change Directory Permissions
Execute the following command to modify the permissions of the .ssh directory on the remote server to 700 and the permissions of the .ssh/authorized_keys file to 640.
This grants read, write, and execute permissions only to the owner
# ssh [remote_username]@[server_ip_address] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
Note: Be cautious when modifying file permissions. Ensure you’re only adjusting permissions for the intended directories and files.
Press Enter when prompted.
Now, attempt to log in to the remote server again using SSH without a password since no output would be produced even if successful.
Conclusion
You can now successfully set up a passwordless SSH login, enhancing both security and convenience in managing your servers. With passwordless SSH, you no longer need to enter a password for each connection, reducing the risk of unauthorized access and streamlining your workflow.
This method not only improves security by leveraging cryptographic keys but also saves time, making your server management more efficient and secure. Implementing passwordless SSH is a best practice for anyone looking to optimize their server access protocols.
FAQs
Q. What is passwordless authentication, and why is it important for SSH connections?
Passwordless authentication uses SSH keys instead of passwords to log into remote systems. It provides stronger security by eliminating the need for password authentication reducing the risk of brute force attacks. It also streamlines the login process and is particularly useful for automated tasks and cron jobs.
Q. How do I generate a custom key for passwordless authentication on my client machine?
To generate a custom key for passwordless authentication, use the following command on your client machine: ssh-keygen -t rsa -b 4096 -C [email protected]. You can specify a custom key file and secure passphrase during this process to enhance security.
Q. Where is the default location for SSH key files, and how can I change it?
The default location for SSH key files is ~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key. To change the default location, specify the path when generating the keys: ssh-keygen -t rsa -b 4096 -C “[email protected]” -f /custom/path/to/your_key
Q. How can I enable key authentication on the SSH server for a secure connection?
To enable key authentication on the SSH server, upload your public key to the remote host’s ~/.ssh/authorized_keys file. Ensure the SSH configuration file (/etc/ssh/sshd_config) has the following settings:
PubkeyAuthentication yes
PasswordAuthentication no
Restart the SSH server to apply these changes: sudo systemctl restart ssh
Q. What should I do if I still get prompted for a password when logging into a server via SSH?
Ensure the public key is appropriately added to the remote host’s ~/.ssh/authorized_keys file. Verify the file permissions: .ssh directory should have 700, and authorized_keys should have 640. Next, ensure password authentication is disabled in the SSH configuration file: PasswordAuthentication no.
Execute the command to adjust permissions: ssh [remote_username]@[server_ip_address] “chmod 700 .ssh; chmod 640 .ssh/authorized_keys”
Q. How do I set up a secure passphrase for my SSH key, and is it necessary?
A secure passphrase adds an extra layer of security to your SSH key. When generating your SSH key, you will be prompted to enter a passphrase: ssh-keygen -t rsa -b 4096 -C “[email protected]“.
While it’s not necessary, it is highly recommended for stronger security, especially if the key file is stored on a client machine.
Q. Can I use passwordless authentication for automated processes like cron jobs?
Yes, passwordless authentication is ideal for automated processes like cron jobs, as it allows scripts to connect to remote systems without requiring manual password entry, ensuring smooth and secure operations.
Q. How can I configure the SSH server to allow only key authentication and disable password authentication?
To configure the SSH server for key authentication only, edit the SSH configuration file (/etc/ssh/sshd_config) to include:
PasswordAuthentication no
PubkeyAuthentication yes
Next, restart the SSH server to apply the changes: sudo systemctl restart ssh
Q. What is the default type of SSH key, and can I use other types for stronger security?
The default type of SSH key is RSA. However, you can use other types such as ED25519 or ECDSA for stronger security: ssh-keygen -t ed25519 -C “[email protected]”
Q. Why do I need sudo access to configure SSH settings on the server?
Sudo access is required to edit the SSH configuration file and restart the SSH server, as these actions affect the security and operation of the remote host.
