We will learn how to login to remote host without entering out password every time.
ssh password-less login
We will learn how to login to remote host without entering out password every time.
Create .ssh directory
The .ssh directory is the default one to save our config file and credentials in it. It is the default path and is picked up by ssh (= it is read). This directory will be (usually) in /home/$USER/.ssh path.
# method one# execute "mkdir" wherever you aremkdir-p/home/$USER/.ssh# method two# go do home directory then create itcd~mkdir.ssh
Create config file
# after creating ".ssh" directory cd.ssh# orcd/home/$USER/.ssh# then create a new file named "config"# method one# create an empty filetouchconfig# method two# create an empty file> config
Up to know we have .ssh and .ssh/config in our home directory
Generate private key and public key
After having .ssh and .ssh/config head to .ssh directory and generate the keys
when running ssh-keygen just hit ENTER and do not type anything
I ran the ssh-keygen as root on my Linux machine so my home directory is /root and yours will be different if you were not root user.
If you already had the default keys id_rsa and id_rsa.pub the will be overwritten! So have the backup of previous ones if you re-generated them.
if you be in other directory and not .ssh/ still the ssh-keygen command tries to pick up the right home directory for you and even creating it , as you can see
Transfer you *public key* to the remote host
After using ssh-keygen will have the following
Add your credentials to the config file in .ssh directory
For every login we have to enter our username and remote host's IP Address to mitigate this and automate login for other apps e.g. git push and pull we should config config file
A sample for root users
A sample for non-root users
Set the right permission
If we enter everything right, but do not have the right permission, ssh gives us error and does not work properly.
Test the login to remote host
After configuring config we should be able to login simply by
Make the connection reliable
For keeping the ssh connection we have alive we can add the following to config file
Generate more secure keys to prevent brute-force attack
We can have a more secure keys and prevent brute-force attack using:
-a rounds When saving a new-format private key (i.e. an ed25519 key or when the -o flag is set), this option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen).
-o Causes ssh-keygen to save private keys using the new OpenSSH format rather than the more compatible PEM format. The new format has increased resistance to brute-force password cracking but is not supported by versions of OpenSSH prior to 6.5. Ed25519 keys always use the new private key format.
-b bits Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. Ed25519 keys have a fixed length and the -b flag will be ignored.
-t dsa | ecdsa | ed25519 | rsa
Here is an example of it
Generate custom private key and public key
If we do not want to use id_rsa and id_rsa.pub keys or no, we have them but wanted to have more specific keys, with -f option we can specify the path and name of new file:
when running ssh-keygen just hit ENTER and do not type anything
# cd to .ssh
cd ~/.ssh
# generate the key using ssh-keygen command, it will be available by default
# hit ENTER and do not type anything
ssh-keygen
# sample out
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:yEOFqmdlnOceEdKHzIimlfd+hp0KC+UY2pQbPmIPigM root@f48ddca5ddac
The key's randomart image is:
+---[RSA 3072]----+
| o *.. |
| = =.* . |
| + =.+ o |
| . *o*.+ |
| * X++S+ . |
|E * X o.= = |
|oo * o + = |
|+ . . o |
| . |
+----[SHA256]-----+
Created directory '/root/.ssh'.
# a sample output
root@f48ddca5ddac:~/.ssh# ll
total 24
drwx------. 2 root root 4096 Mar 18 08:31 ./
drwx------. 1 root root 4096 Mar 18 08:31 ../
-rw-------. 1 root root 2602 Mar 18 08:31 id_rsa
-rw-r--r--. 1 root root 571 Mar 18 08:31 id_rsa.pub
root@f48ddca5ddac:~/.ssh#
# the public-key
id_rsa.pub
# the priviate key
id_rsa
# now we can transfer our public-key to remote host
# method one using ssh-* itself (use this one)
ssh-copy-id <USER>@<IP-ADDRESS>
# method two using scp or rsync
scp .ssh/id_rsa.pub <USER>@<IP-ADDRESS>:/home/<USER>
# then will ask you to enter your password and will copy your
# id_rsa.pub to remote host at .ssh/authorized_keys
# this file (authorized_keys) will hold our public-key
# then we should be able to login without password
# login
ssh <USER>@<IP-ADDRESS>
# go to .ssh directory
cd ~/.ssh
# use your editor and add the following
Host <NAME>
HostName <IP-ADDRESS>
port <PORT>
user <USER>
IdentityFile /home/<USER>/.ssh/id_rsa
# <NAME> => it is an alias and can be anthing
# <IP-ADDRESS> => enter your remote host IP address
# <PORT> => default is 22 if you did not change it
# <USER> => your user name with which you have loged in
# this part is option since we use the default id_rsa name
IdentityFile /home/<USER>/.ssh/id_rsa
# you have leave it stay there ir remove or comment it like bellow
Host <NAME>
HostName <IP-ADDRESS>
port <PORT>
user <USER>
# IdentityFile /home/<USER>/.ssh/id_rsa
Host docker
HostName 49.12.46.50
port 22
user root
IdentityFile /root/.ssh/id_rsa
Host docker
HostName 49.12.46.50
port 22
user <A-USER-THAT-HAS-ACCESS-TO-LOGIN>
IdentityFile /home/shm/.ssh/id_rsa
# config file
chmod 644 config
# *.pub file can be 644 too
chmod 644 *.pub
# private keys should be 600 ( only read and write for the owner )
chmod 600 ANY-PRIVATE-KEY-YOU-HAVE
# e.g.
chmod 600 id_rsa
# ssh + Host name e.g.
ssh docker
# or your name what ever it is
ssh <YOUR-HOST-NAME>
# test with a custom name: my_name
# hit ENTER and do not type anything
ssh-keygen -t rsa -b 4096 -a 100 -o -f my_name
# sampe output
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my_name.
Your public key has been saved in my_name.pub.
The key fingerprint is:
SHA256:pL39qY4hI/xkp0XjOP6jpcoWfIOjQolatc82dl1nGH8 root@docker
The key's randomart image is:
+---[RSA 4996]----+
| |
| |
| . |
| . + . |
|. .o o. S + |
|.o..* o+ + o + E|
|o. .o*B.B... o . |
|o ...**Xoo.. . |
| . .o+*=ooo.o |
+----[SHA256]-----+
# result
# we will have both id_rsa, rsa_pub
# also we will have my_name, my_name.pub
[root@docker .ssh]# ll
total 24
-rw-------. 1 root root 395 Mar 8 08:57 authorized_keys
-rw-r--r--. 1 root root 118 Mar 11 10:06 config
-rw-------. 1 root root 4063 Mar 18 15:58 id_rsa
-rw-r--r--. 1 root root 885 Mar 18 15:58 id_rsa.pub
-rw-------. 1 root root 4063 Mar 18 16:06 my_name
-rw-r--r--. 1 root root 885 Mar 18 16:06 my_name.pub
[root@docker .ssh]#
# NOTE wherever we run this command, will be saved there
# so if you have been in a directory e.g. /tmp files will
# be created in /tmp not in .ssh
# so either go to ~/.ssh or add the absolute path
# <USER> => you username
ssh-keygen -t rsa -b 4096 -a 100 -o -f /home/<USER>/my_name