Passwordless SSH Logins

1. Pre-requisites

• SSH client is installed in the local machine
• SSH server is installed and activated in the remote machine (else you won't be able to ssh even with a password)
• Make sure that you are able to SSH login from the local machine to the remote machine with a password

IMPORTANT! You need to know what you are doing! Passwordless SSH logins trade off some security for convenience. Somebody who has access to your account at the client machine is able to access your account at the server machine without supplying any password.

2. SSH Client -- Generate a Private / Public Key Pair

Generate a key pair on the local machine. By default (at the time of this writing), a pair of RSA keys for use in SSH protocol 2 connections will be generated.

[local] \$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/xxxx/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/xxxx/.ssh/id_rsa.
Your public key has been saved in /home/xxxx/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx xxxx@host

Keep pressing [Enter] to accept the default options. ssh-keygen will prompt you for confirmation if a pair has already been generated. Empty passphrase is used here to trade off security for convenience.

3. SSH Server -- Authorization with Key Pair

To update the server to use key pair authorization, append the content of the public key id_rsa.pub just generated to the remote account's ~/.ssh/authorized_keys. Make sure that the latter file has a permission of 600. The ~/.ssh/ directory should have a permission of 700 for security.

To test the setup, simple invoke:

[local] \$ ssh remote_user@remote_host

It should not prompt you for user name and password to login. Nonetheless, if this is the first time for the local client to login to the remote server, ssh will still need your one-time permission to accept the server's key fingerprint:

[local] \$ ssh remote_user@remote_host
The authenticity of host 'xxxxxx (yyyyyy)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)?

You only need to accept this once. After accepting the connection, ssh will append the related information to ~/.ssh/known_hosts, and will not ask you the question again next time. (See Section 4.2 below for details.)

4. Useful Tips

4.1. An Easy Way to Update the Server

You can update the server with the following one line of command:

[local] \$ cat ~/.ssh/id_rsa.pub | ssh remote_user@remote_host 'sh -c "mkdir -p -m 700 ~/.ssh/ && cat - >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"' 

This is handy for setting up many passwordless clients.

4.2. Bypass Host Key Checking

For certain application, you want the client to login to the remote server without even verifying the server's key fingerprint for once. This can happen, say, if the client logins by using host name to a server which changes its IP frequently. To again trade off security for convenience by suppressing the verification, you can modify the following option in ~/.ssh/config (for local account) or /etc/ssh/ssh_config (system-wide):

This controls the behavior of the ssh client in verifying the host key of the remote server. It can be no (do not verify), ask (ask once; default), or yes (always verify).