This comprehensive Linux guide expects that you run the following commands as root user but if you decide to run the commands as a different user then ensure that the user has
sudoaccess and that you precede each of the privileged commands with
Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are passwords based authentication and public key based authentication.
To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts
Check For Existing Key Pair
Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys.
To check the existing SSH key pair, run the following command
[email protected]~$ ls -al ~/.ssh/id_*.pub
If you see
No such file or directory or
no matches found it means that you do not have an SSH key.
Generate Authentication Key Pair
You can general authentication key pair by running the
[email protected]:~$ ssh-keygen -t rsa
-t stands for the type. This command will generate a RSA type key pair.
Setting The Key Length Manually
By default the key is 2048 bits long, if you prefer stronger security then you can specify a 4096 bits key like below.
[email protected]:~$ ssh-keygen -t rsa -b 4096
ssh-keygen tool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use passphrase just press
Enter passphrase (empty for no passphrase):
Verification Of The Key Pair
To be sure that the SSH keys are generated you can list your new private and public keys using the following command
[email protected]:~$ ls ~/.ssh/id_* /home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub
Copy Your Public Key To Remote Linux Server
ssh-copy-id command to install the public half of the newly-generated authentication key into a specific user’s home directory on the remote host. Run the following command on your terminal
[email protected]:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
If the openssh-client is not installed on your system, you would not be able to run the
ssh-copy-id command. If that’s the case, you can us the following command:
[email protected]:~$ cat ~/.ssh/id_rsa.pub | ssh [email protected] "cat >> ~/.ssh/authorized_keys"
Login To SSH Server
The public key is stored in .ssh/authorized_keys file under the remote user’s home directory. Now ssh into the remote server
[email protected]:~$ ssh [email protected]
Disabling Password Authentication
Although SSH key is now used by default to log into your server, you can still use normal password to login on another machine. You don’t want hackers using brute force method to hack into your server.
To disable password authentication, edit
/etc/ssh/sshd_config file on the remote server.
[email protected]:~$ nano /etc/ssh/sshd_config
Find this line:
Change it to:
Then find this line
If it’s value is yes, change it to no. Otherwise you will still be asked for the password authentication.
Save the file and exit.
Then run the following command:
[email protected]:~$ service ssh restart OR [email protected]:~$ systemctl restart ssh
Checking The Correct Permissions
If the above steps were followed and you are still being prompted with the password, inspect the permissions on both the local and remote user’s files. The permissions of the directories should be exactly as show below.
drwx------. 25 oracle oinstall 4096 July 21 11:01 /home/oracle/ drwx------. 2 oracle oinstall 4096 July 17 13:13 /home/oracle/.ssh -rw-------. 1 oracle oinstall 420 July 17 13:13 /home/oracle/.ssh/authorized_keys
If the permissions are not as show abover, set them correct using the following command:
[email protected]:~$ chmod 600 ~/.ssh/authorized_keys [email protected]:~$ chmod 700 ~/.ssh/
Then restart the services
[email protected]:~$ service sshd restart
SELinux can also potentially prevent sshd from accessing the ~/.ssh directory on the server. This problem can be ruled out (or resolved) by running
restorecon as follows on the remote user’s ~/.ssh directory:
[email protected]:~$ restorecon -Rv ~/.ssh
Backing Up Your Public/Private Key
Once you disable SSH password authentication, it is very important to back up your ssh keys. If you lose the keys you will be locked out of your server. Back up your public/private keypair to a safe location such as your USB drive.
[email protected]:~$ cp ~/.ssh/id_rsa* /path/to/backup/location/
You can copy the key pair to a new Linux computer and ssh into your server using ssh keys. Once you copied the key pair to a new computer, you need to change the owner of the key pair to the user on the new computer.
chown new-user:new-user id_rsa*
And then move them to
.ssh/ directory of the new user.
[email protected]:~$ mv id_rsa* ~/.ssh/
Changing Private Key Passphrase
If you want to change your private key passphrase, you can run the following command:
[email protected]:~$ ssh-keygen -f ~/.ssh/id_rsa -p
You will be asked for your old passphrase and then the new passphrase.