ssh password-less login

We will learn how to login to remote host without entering out password every time.

Create `.ssh` directory

The .ssh directory is the default one to save our config file and credentials in it. It is the default path and is picked up by ssh (= it is read). This directory will be (usually) in /home/$USER/.ssh path.

# method one
# execute "mkdir" wherever you are
mkdir -p /home/$USER/.ssh

# method two
# go do home directory then create it
cd ~
mkdir .ssh

Create `config` file

# after creating ".ssh" directory 
cd .ssh
# or
cd /home/$USER/.ssh
# then create a new file named "config"

# method one
# create an empty file
touch config

# method two
# create an empty file
> config

Up to know we have .ssh and .ssh/config in our home directory

Generate private key and public key

After having .ssh and .ssh/config head to .ssh directory and generate the keys

# cd to .ssh
cd ~/.ssh

# generate the key using ssh-keygen command, it will be available by default
# hit ENTER and do not type anything
ssh-keygen

# sample out
ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:yEOFqmdlnOceEdKHzIimlfd+hp0KC+UY2pQbPmIPigM root@f48ddca5ddac
The key's randomart image is:
+---[RSA 3072]----+
|     o *..       |
|    = =.* .      |
|   + =.+ o       |
|  . *o*.+        |
|   * X++S+ .     |
|E * X o.= =      |
|oo * o + =       |
|+   . . o        |
| .               |
+----[SHA256]-----+

when running ssh-keygen just hit ENTER and do not type anything

I ran the ssh-keygen as root on my Linux machine so my home directory is /root and yours will be different if you were not root user.

If you already had the default keys id_rsa and id_rsa.pub the will be overwritten! So have the backup of previous ones if you re-generated them.

if you be in other directory and not .ssh/ still the ssh-keygen command tries to pick up the right home directory for you and even creating it , as you can see

Created directory '/root/.ssh'.

Transfer you public key to the remote host

After using ssh-keygen will have the following

# a sample output
root@f48ddca5ddac:~/.ssh# ll
total 24
drwx------. 2 root root 4096 Mar 18 08:31 ./
drwx------. 1 root root 4096 Mar 18 08:31 ../
-rw-------. 1 root root 2602 Mar 18 08:31 id_rsa
-rw-r--r--. 1 root root  571 Mar 18 08:31 id_rsa.pub
root@f48ddca5ddac:~/.ssh# 

# the public-key
id_rsa.pub

# the priviate key
id_rsa

# now we can transfer our public-key to remote host
# method one using ssh-* itself (use this one)
ssh-copy-id <USER>@<IP-ADDRESS>

# method two using scp or rsync
scp .ssh/id_rsa.pub <USER>@<IP-ADDRESS>:/home/<USER>

# then will ask you to enter your password and will copy your
# id_rsa.pub to remote host at .ssh/authorized_keys

# this file (authorized_keys) will hold our public-key
# then we should be able to login without password
# login
ssh <USER>@<IP-ADDRESS>

Add your credentials to the `config` file in `.ssh` directory

For every login we have to enter our username and remote host's IP Address to mitigate this and automate login for other apps e.g. git push and pull we should config config file

# go to .ssh directory
cd ~/.ssh

# use your editor and add the following
Host <NAME>
    HostName <IP-ADDRESS>
    port <PORT>
    user <USER>
    IdentityFile /home/<USER>/.ssh/id_rsa
    
# <NAME> => it is an alias and can be anthing
# <IP-ADDRESS> => enter your remote host IP address
# <PORT> => default is 22 if you did not change it
# <USER> => your user name with which you have loged in

# this part is option since we use the default id_rsa name
IdentityFile /home/<USER>/.ssh/id_rsa
# you have leave it stay there ir remove or comment it like bellow
Host <NAME>
    HostName <IP-ADDRESS>
    port <PORT>
    user <USER>
    # IdentityFile /home/<USER>/.ssh/id_rsa

A sample for root users

Host docker
    HostName 49.12.46.50
    port 22
    user root
    IdentityFile /root/.ssh/id_rsa

A sample for non-root users

Host docker
    HostName 49.12.46.50
    port 22
    user <A-USER-THAT-HAS-ACCESS-TO-LOGIN>
    IdentityFile /home/shm/.ssh/id_rsa

Set the right permission

If we enter everything right, but do not have the right permission, ssh gives us error and does not work properly.

# config file
chmod 644 config

# *.pub file can be 644 too
chmod 644 *.pub

# private keys should be 600 ( only read and write for the owner )
chmod 600 ANY-PRIVATE-KEY-YOU-HAVE
# e.g.
chmod 600 id_rsa

After configuring config we should be able to login simply by

# ssh + Host name e.g.
ssh docker

# or your name what ever it is
ssh <YOUR-HOST-NAME>

Make the connection reliable

For keeping the ssh connection we have alive we can add the following to config file

Host docker
...
...

Host *
    Compression yes
    KeepAlive yes
    ServerAliveInterval 240

Generate more secure keys to prevent brute-force attack

We can have a more secure keys and prevent brute-force attack using:

-a rounds When saving a new-format private key (i.e. an ed25519 key or when the -o flag is set), this option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen).
-o Causes ssh-keygen to save private keys using the new OpenSSH format rather than the more compatible PEM format. The new format has increased resistance to brute-force password cracking but is not supported by versions of OpenSSH prior to 6.5. Ed25519 keys always use the new private key format.
-b bits Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. Ed25519 keys have a fixed length and the -b flag will be ignored.
-t dsa | ecdsa | ed25519 | rsa

Here is an example of it

ssh-keygen -t rsa -b 4996 -a 100 -o

Generate custom private key and public key

If we do not want to use id_rsa and id_rsa.pub keys or no, we have them but wanted to have more specific keys, with -f option we can specify the path and name of new file:

when running ssh-keygen just hit ENTER and do not type anything

# test with a custom name: my_name
# hit ENTER and do not type anything
ssh-keygen -t rsa -b 4096 -a 100 -o -f my_name

# sampe output
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in my_name.
Your public key has been saved in my_name.pub.
The key fingerprint is:
SHA256:pL39qY4hI/xkp0XjOP6jpcoWfIOjQolatc82dl1nGH8 root@docker
The key's randomart image is:
+---[RSA 4996]----+
|                 |
|                 |
|        .        |
|    .  +    .    |
|. .o o. S    +   |
|.o..* o+ +  o + E|
|o. .o*B.B... o . |
|o ...**Xoo.. .   |
| . .o+*=ooo.o    |
+----[SHA256]-----+

# result
# we will have both id_rsa, rsa_pub
# also we will have my_name, my_name.pub
[root@docker .ssh]# ll
total 24
-rw-------. 1 root root  395 Mar  8 08:57 authorized_keys
-rw-r--r--. 1 root root  118 Mar 11 10:06 config
-rw-------. 1 root root 4063 Mar 18 15:58 id_rsa
-rw-r--r--. 1 root root  885 Mar 18 15:58 id_rsa.pub
-rw-------. 1 root root 4063 Mar 18 16:06 my_name
-rw-r--r--. 1 root root  885 Mar 18 16:06 my_name.pub
[root@docker .ssh]#

# NOTE wherever we run this command, will be saved there
# so if you have been in a directory e.g. /tmp files will
# be created in /tmp not in .ssh
# so either go to ~/.ssh or add the absolute path
# <USER> => you username
ssh-keygen -t rsa -b 4096 -a 100 -o -f /home/<USER>/my_name

PreviousSSH NextUntitled

Last updated 4 years ago

Was this helpful?