Setup Passwordless SSH

When managing hundreds or thousands of servers, it's important to be able to quickly log into lots of machines and pull some information out of them quickly.

In order to do that, passwordless SSH is quite important. In this tip, I'll show you how to setup so that when you ssh from a server to another, password is not required.

On your originating computer (like your Linux laptop), type this to generate the private/public key pair. When asked to enter passphrase twice, just hit ENTER for now to begin with the most simple example:

$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):        
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
e9:85:da:69:e0:65:a4:4b:0d:73:78:8e:1c:d8:00:8c username@laptop


-t rsa indicates that you wanted to use RSA encryption. You can also use -t dsa if you wish. Without specifying -t, the default will be RSA.

-b 4096 indicates that you want your key to use 4096-bit encryption. I recommend minimum 2048 if not 4096. The longer the key length, the more difficult it is to break the encryption.

Also note that the longer length requires longer time to log into the server. This additional time is not noticeable and it's only affecting the amount of time to get in. Once logged in, everything else afterwards works normal.

After executing the command above, you should see two new files in /home/username/.ssh/

-rw-------  1 user group 3311 Aug 23 17:50 id_rsa
-rw-r--r--  1 user group  749 Aug 23 17:50 id_rsa.pub


id_rsa is your private key and you never want this file to leave this machine. This file has permissions set to 0600. Only you have permissions to it. Don't change these permissions, it will interfere with SSH results.

id_rsa.pub is the public key. This is the file that you want to be placed at /home/username/.ssh/authorized_keys in every server that you want to do passwordless SSH to.

You may choose to do this

$ scp /home/username/.ssh/id_rsa.pub username@destination_server:/home/username/.ssh/authorized_keys

Or you can simpply create file /home/username/.ssh/authorized_keys at the destination server and copy/paste the content of id_rsa.pub into it.

Now you can do "ssh username@destination_server" and you'll be right in, without any password.

Use Passphrase to protect your key

Some environments mandate that SSH keys are protected with a passphrase. In this case, while creating the key pair above, type in a passphrase instead of leaving it empty.

Before using passwordless SSH, you'll need to authenticate this passphrase. You only need to authenticate once in a session. It will continue to work until you kill it.

$ ssh-agent > ~/.ssh/.username
$ source ~/.ssh/.ssh/.username
$ ssh-add
Enter passphrase for /home/username/.ssh/id_rsa:
Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa)


Kill an existing ssh-agent session after use:

$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 18161 killed;

No comments:

Post a Comment

Help a friend, share your knowledge