How to Set Up Password-less SSH Login on Linux

Automatic passwrod-less ssh login can make our life easier. To enable this, we have 2 options: using key-based authentication by copying our SSH public keys to the remote machines for automatic password-less login or using password-based authentication. I will introduce the 2 options in the post. Before you start, please note that key-based authentication is generally suggested when your working environment allows.

ssh-terminal.png

Key-based password-less ssh login

We introduce two methods in this post: using ssh-copy-id command and the manual way.

Generate SSH key pair

If you do not have a SSH private/public key pair yet, you can generate one first.

$ ssh-keygen -t rsa

By default on Linux, the key pair is stored in ~/.ssh named id_rsa and id_rsa.pub for the private and public key.

Copy public SSH key to the remote machine

You have two choices here. Unless that you can not use the ssh-copy-id method, you can try the “manual” way.

The easiest way

Let ssh-copy-id do it automatically:

$ ssh-copy-id username@remotemachine

If you have multiple keys in your ~/.ssh directory, you may need to use -i key_file to specify which key you will use.

The manual way

Copy the public SSH key to remote machine

$ scp .ssh/id_rsa.pub username@remotemachine:/tmp/

Log on the remote machine

$ ssh username@remotemachine

Append your public SSH key to ~/.ssh/authorized_keys

# backing up before changing is a good habit
$ cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bak
# append pub key to authorized keys list
$ cat /dev/shm/id_rsa.pub >> ~/.ssh/authorized_keys

Make sure the mode of ~/.ssh/authorized_keys is 755:

$ chmod 755 ~/.ssh/authorized_keys

Possible Problems

Some possible problems that prevent you from successfully setting up password-less login.

Directory/file permissions

Home directory
Check the home directory’s permission which may cause the key-based login fail (suppose the home directory is /home/zma):

# chmod 700 /home/zma/

~/.ssh permission
Make sure the .ssh directory’s permission is 755:

$ chmod 755 ~/.ssh/

~/.ssh/authroized_keys permission
Make sure the .ssh directory’s permission is 755:

$ chmod 755 ~/.ssh/authorized_keys

~/.ssh/id_rsa and ~/.ssh/id_rsa.pub permission
Make sure the permission is 700 (others can work, but 700 is better for your private key, right?):

$ chmod 700 ~/.ssh/id_rsa
$ chmod 700 ~/.ssh/id_rsa.pub

Password-based “password-less” ssh login

This method the login and authentication is still by password. However, we use a tool to help us input the password automatically. The tool is sshpass which works nicely.

The usage is very simple as follows by providing the password in command line:

$ sshpass -p "your_password_here" ssh username@remotemachine

or by providing the password in the first line of a file

$ sshpass -f /path/to/file_storing_your_password ssh username@remotemachine

Security considerations: before using the sshpass, please read the “SECURITY CONSIDERATIONS” section of the sshpass man page to know the security problems and only use it when you can tolerate them.

Eric Z Ma

Eric is a father and systems guy. Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric's own and do not necessarily represent those of any third parties.

6 comments:

  1. Another common problem is that SELinux blocks password-less SSH login after re-installing Linux but keeping the old home, you may need to do a `restorecon -Rv /home`. You can take a look at the directory ownership and SELinux labels by `ls -lZ`.

Leave a Reply

Your email address will not be published. Required fields are marked *