Setup password-less login to ssh on Linux
SSH login without password
SSH (Secure Shell) is commonly used when administering remote servers. If you are working on some server regularly and find it tiring to type in the ssh password again and again, then it might be a good option to configure the login to not ask for the password. It is possible to make ssh shell login without password. However this does not mean that the login would not be authenticated. Instead a different authentication scheme would be used.
Key based authentication
The solution is to setup and use key based authentication. In key based authentication, the authentication is done by a file that is present on your system, instead of you having to type the password again and again.
This key based authentication is based on using public key cryptography. In this authentication scheme there are 2 key files, one is kept on the server and other on your local machine. These are called public and private keys respectively. The keys always exist in unique pairs such that you must have the right private key in order to authenticate with the public key present on the server.
OpenSSH, the most common ssh package used on Linux, can be easily configured to use the key based authentication mechanism. And it takes only a few steps to configure.
Generate the keys
On ubuntu we are going to use the ssh-keygen command to generate the pair of keys.
# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/john/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/john/.ssh/id_rsa. Your public key has been saved in /home/john/.ssh/id_rsa.pub. The key fingerprint is: 86:0c:a6:8d:c1:35:91:ab:b2:09:b8:b0:55:2f:58:2c [email protected] The key's randomart image is: +--[ RSA 2048]----+ | +o | | . ... | | o.o. | | E*=o . | |. o*..o S | |= + . .. | |oB . | |= | | | +-----------------+
While generating the keys, it will ask for some information like where to save the key files, whether to set a passphrase or not. The keys are by default saved in the ".ssh" directory in your home directory. It can be any other location, but we use the default one to keep it simple.
Once the keys are generated you might want to peek into the ".ssh" directory. Take a look in there. You would find 2 files called
The first file is the private key file. This file must always stay on your computer and is meant to be kept hidden from the outer world. The second file id_rsa.pub file is the public key file, that is meant to be distributed to everyone out there who wants to authenticate your identity in some form (which in this case is the webserver).
Give the public key to the server
Now its time to give the public key file id_rsa.pub to the webserver, so that it can authenticate using the key and not ask for password again and again. To copy the public key file, we use the ssh-copy-id command which will take our public key and copy it into the ~/.ssh/authorized_keys file on the remote server.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]_web_server The authenticity of host 'remote_web_server (184.108.40.206)' can't be established. RSA key fingerprint is 26:50:b5:51:3d:06:a8:10:52:f8:8a:60:23:a7:31:a8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'remote_web_server' (RSA) to the list of known hosts. [email protected]_web_server's password: stdin: is not a tty Now try logging into the machine, with "ssh '[email protected]_web_server'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. $
So now our public key has been copied over to the remote server. The output of the above command asks us to login using ssh to test if it works fine or not.
Login to the server
So now login to the remote machine without password
$ ssh [email protected]_web_server Last login: Wed Jan 2 11:26:14 2013 from 220.127.116.11 [email protected]_web_server [~]#
Great, we logged in without the password.