Nov 30, 2022
How to Setup Passwordless SSH on Linux
There are two ways of enabling SSH:
- Password-based authentication
- Public key-based authentication
Public key-based authentication is often called passwordless SSH.
Why use Passwordless SSH?
Users sometimes find password-protected options hard to remember and uncomfortable. You may be in an environment where you need to enter your password frequently.
There are a few advantages of Passwordless SSH:
- Easy and non-interactive login. Users don’t have to type the password for every new session
- More secure compared to passwords as it works on public-private key cryptography
- More reliable
- Better authentication and authorization management
- A good solution for both small and large infrastructure
- Easy to build and maintain
To start using passwordless SSH you need to generate a public key. In this tutorial, we will be focusing on SSH version 2 which is the latest and more secure protocol.
Log into your VPS using SSH, and we’ll be ready to start!
First, you can check if the SSH key for the client machine already exists. This will prevent overwriting the current configuration. You can use the below command to find out:
ls -al ~/.ssh/id_*.pub
If you find an existing key, then you can either skip the SSH key generation steps, override the current setup, or create a backup of the existing key. If the key doesn’t exist, you’ll see the following output:
ls: cannot access /users/appsadm/.ssh/id_*.pub: No such file or directory
Next, we can proceed to generate the SSH key.
Passwordless SSH in Ubuntu and CentOS:
To generate a public and private key on Ubuntu or CentOS, use the command:
ssh-keygen -t rsa
The option -t stands for type, while RSA is the protocol used for key generation. RSA is the default type – hence you can also use the simpler version of the command – ssh-keygen.
The default key is of 2048 bits. However, if you want stronger security, you can change the value to 4096 bits. In that case, the command will be:
ssh-keygen -t rsa -b 4096
This is an interactive key generation process and you will be asked a few questions like:
- Enter file in which to save the key (/home/.ssh.id_rsa)
- Enter passphrase (empty for no paraphrase)
You can press enter for both these questions and this will take the default values. A paraphrase is used to encrypt the private key; however, this is not mandatory and can be left blank. The private key will be saved in the default location – .ssh/id_rsa.
The public key will be saved in the .ssh/id_rsa.pub file. This completes the key generation. You can verify the files by using any editor.
Copying the Public Key to Enable Passwordless SSH
Copying the public key to a destination machine can be done in three ways:
- Use the ssh-copy-id command
- Copy using SSH
- Copy Manually
The first option is the most preferred and fastest one. The command ssh-copy-id is by default included in most Linux flavors. However, in some instances where you face issues using ssh-copy-id or do not have access to this command then you can try the subsequent options.
Method 1: Using the ssh-copy-id Command
The basic syntax to use this command is as highlighted below:
Here you will get a prompt for the remote machine’s password. Once the authentication is successful, the generated SSH public key will be added to the remote machine’s authorized_keys file. After adding the entry, the connection will be closed automatically.
Method 2: Copy the Private Key Using SSH
The next method uses SSH to copy the private key. This can be used when you have password-based SSH access to the server. The command below will take care of the process. You only need to enter the remote user’s username and machine’s IP address.
cat ~/.ssh/id_rsa.pub | ssh remote_username@remote_ip_address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
This will add the entry into the remote machine’s authorized_keys file.
Method 3: Manually Copying the Public Key
The third method is slightly more difficult as its completely manual. However, in certain cases where the other methods don’t work, you can use this one! You’ll need to manually add the contents of the id_rsa.pub file to the remote server’s ~/.ssh/authorized_keys file.
On the source method you can display the contents of the id_rsa.pub file by using the vi editor or cat command:
This would display an output containing the key starting with ssh-rsa. Copy it! Next on the remote server, login and create the .ssh file if it does not exist.
mkdir -p ~/.ssh
You can similarly create the authorized_keys file. Add the copied SSH public key to the empty file as shown below:
echo SSH_public_key >> ~/.ssh/authorized_keys
SSH_public_key would be the public key that you copied from the source machine. It will start with ssh-rsa.
Once the key is copied, you can provide the required permissions to the remote servers .ssh directory by using chmod command.
chmod -766 ~/.ssh
Testing Passwordless SSH
With this, we should have successfully activated passwordless SSH, and performed the basic configuration. To test the feature, you can try accessing the remote server via the source server. The command syntax would look like this:
If everything worked successfully, then you will be able to login automatically without having to enter the password.
How to Disable Passwordless SSH
If you decide that passwordless SSH isn’t for you, you can disable it by following the steps below. To make this change open the SSH configuration file – /etc/ssh/ssh_config. Again, any editor will work, we use nano. Here you will find an entry with PasswordAuthentication. Modify the lines as shown:
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
Once this is changed, save the file and restart SSH. Here’s how to do it on Ubuntu 18.04:
sudo systemctl restart ssh
And the command for CentOS 7:
sudo systemctl restart sshd
This completes our tutorial about Passwordless SSH. We covered passwordless SSH setup, configuration and how to disable it. We hope you found this how-to helpful! Remember, stay safe out there!