Quick Guide: Automatically log in to an SSH session without a password prompt
Brief SSH key setup instructions:
From your local box create a hidden folder, .ssh, in your home directory, and restrict the permissions on this folder. Then, generate the RSA keys with ssh-keygen:
mkdir ~/.ssh chmod 700 ~/.ssh ssh-keygen -t rsa -b 4096
When you run ssh-keygen, the command will ask where you want to save the key. Press Enter to accept the default directory (~/.ssh/id_rsa). ssh-keygen will then ask if you want to enter a passphrase to protect the key. For many applications an empty passphrase is perfectly acceptable, but if you are on a system that demands high security, like a production system, read the note below about passphrases. Otherwise, just press enter twice for an empty passphrase.
Ignore the key fingerprint and the “randomart” image that is printed out after ssh-keygen returns. Finally, intsall the public key on the remote machine:
ssh-copy-id [remote username]@[remote host]
After running this command, you will likely be greeted with a message similar to this one:
RSA key fingerprint is f9:b5:78:da:ad:db:98:2f:b4:0c:1c:2e:ec:6b:ee:ca. Are you sure you want to continue connecting (yes/no)?
This is an expected warning that is displayed because your local computer does not yet know the RSA key fingerprint of the remote host. Hereafter, no authenticity warnings will be shown when you connect to the remote host. Type in “yes” to continue and enter your password when prompted to complete the RSA key setup process.
Try it out
After setting up SSH keys, try to connect to the remote host:
ssh [remote username]@[remote host]
If the RSA keys were setup successfully, the SSH session to the remote host should be initiated without the need to enter a password.
Why use RSA keys?
Setting up RSA keys for authentication allows you to connect to a remote host without entering a password. Typing in your password when connecting to a remote terminal is a hassle, especially if your administrator has implemented needlessly onerous password restrictions. More importantly, executing tasks or checking conditions on a remote host from an automated test script is much easier when there is no need to interact with a password prompt.
Think of the passphrase like a password to unlock your private key (the contents of the ~/.ssh/id_rsa file). If an attacker steals your private key, and the key doesn’t have a passphrase, the attacker will be able to use the key to access any remote hosts that are authorized with that key. Conversely, an RSA key that is protected with a passphrase will need the passphrase to be entered before the key can be used to connect to the remote host. In this way, using a passphrase provides some extra protection. If at some point you realize that your local computer has been compromised, a passphrase might delay the attacker long enough for you to delete your old key from the remote host.
Note that even if you choose to use a passphrase, entering the passphrase each time the computer is booted or an SSH session is initialized generally is not necessary. Most modern Linux distributions will handle the keychain process automatically. You will only be required to enter the passphrase the first time that you use the key. In this sense, adding a passphrase is almost always a good idea, simply because the overhead of adding a passphrase is so low. The flip side to this argument is that if you are using keys on a system where security is not paramount (in a test environment, for example) and where the probability of attack is relatively low, adding a passphrase to your SSH keys may be unnecessary.
Here’s the whole process in review:
bash-4.1$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub. The key fingerprint is: b7:52:99:79:43:3b:d6:33:25:23:86:f1:46:ff:d4:da username@localhost The key's randomart image is: +--[ RSA 4096]----+ | ... .+ | | . . oo + + | | +. . o . o .| | . E . . . +.| | + S . . =o.| | = . = = .o| | o + . | | . . | | | +-----------------+ bash-4.1$ ssh-copy-id remoteUsername@remoteHost The authenticity of host 'remotehost (100.100.100.100)' can't be established. RSA key fingerprint is f9:b5:78:da:ad:db:98:2f:b4:0c:1c:2e:ec:6b:ee:ca. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'remotehost100.100.100.100' (RSA) to the list of known hosts. username@remotehost's password: Now try logging into the machine, with "ssh 'username@remotehost'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. bash-4.1$ssh remoteUsername@remoteHost