How to Set Up Password-less SSH Login on Linux

Automatic passwrod-less ssh login can make our life easier. To enable this, we have 2 options: using key-based authentication by copying our SSH public keys to the remote machines for automatic password-less login or using password-based authentication. I will introduce the 2 options in the post. Before you start, please note that key-based authentication is generally suggested when your working environment allows.

ssh-terminal.png

Key-based password-less ssh login

We introduce two methods in this post: using ssh-copy-id command and the manual way.

Generate SSH key pair

If you do not have a SSH private/public key pair yet, you can generate one first.

$ ssh-keygen -t rsa

By default on Linux, the key pair is stored in ~/.ssh named id_rsa and id_rsa.pub for the private and public key.

Copy public SSH key to the remote machine

You have two choices here. Unless that you can not use the ssh-copy-id method, you can try the “manual” way.

The easiest way

Let ssh-copy-id do it automatically:

$ ssh-copy-id username@remotemachine

If you have multiple keys in your ~/.ssh directory, you may need to use -i key_file to specify which key you will use.

The manual way

Copy the public SSH key to remote machine

$ scp .ssh/id_rsa.pub username@remotemachine:/tmp/

Log on the remote machine

$ ssh username@remotemachine

Append your public SSH key to ~/.ssh/authorized_keys

# backing up before changing is a good habit
$ cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bak
# append pub key to authorized keys list
$ cat /dev/shm/id_rsa.pub >> ~/.ssh/authorized_keys

Make sure the mode of ~/.ssh/authorized_keys is 755:

$ chmod 755 ~/.ssh/authorized_keys

Possible Problems

Some possible problems that prevent you from successfully setting up password-less login.

Directory/file permissions

Home directory
Check the home directory’s permission which may cause the key-based login fail (suppose the home directory is /home/zma):

# chmod 700 /home/zma/

~/.ssh permission
Make sure the .ssh directory’s permission is 755:

$ chmod 755 ~/.ssh/

~/.ssh/authroized_keys permission
Make sure the .ssh directory’s permission is 755:

$ chmod 755 ~/.ssh/authorized_keys

~/.ssh/id_rsa and ~/.ssh/id_rsa.pub permission
Make sure the permission is 700 (others can work, but 700 is better for your private key, right?):

$ chmod 700 ~/.ssh/id_rsa
$ chmod 700 ~/.ssh/id_rsa.pub

Password-based “password-less” ssh login

This method the login and authentication is still by password. However, we use a tool to help us input the password automatically. The tool is sshpass which works nicely.

The usage is very simple as follows by providing the password in command line:

$ sshpass -p "your_password_here" ssh username@remotemachine

or by providing the password in the first line of a file

$ sshpass -f /path/to/file_storing_your_password ssh username@remotemachine

Security considerations: before using the sshpass, please read the “SECURITY CONSIDERATIONS” section of the sshpass man page to know the security problems and only use it when you can tolerate them.

Eric Zhiqiang Ma

Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric's own and do not necessarily represent those of any third parties.

6 comments:

  1. Another common problem is that SELinux blocks password-less SSH login after re-installing Linux but keeping the old home, you may need to do a `restorecon -Rv /home`. You can take a look at the directory ownership and SELinux labels by `ls -lZ`.

Leave a Reply

Your email address will not be published. Required fields are marked *