This comprehensive Linux guide expects that you run the following commands as root user but if you decide to run the commands as a different user then ensure that the user has sudo access and that you precede each of the privileged commands with sudo

Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are passwords based authentication and public key based authentication.

To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file.

Check For Existing Key Pair

Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys.

To check the existing SSH key pair, run the following command

[email protected]~$ ls -al ~/.ssh/id_*.pub

If you see No such file or directory or no matches found it means that you do not have an SSH key.

Generate Authentication Key Pair

You can general authentication key pair by running the ssh-keygen command.

[email protected]:~$ ssh-keygen -t rsa

The option -t stands for the type. This command will generate a RSA type key pair.

Setting The Key Length Manually

By default the key is 2048 bits long, if you prefer stronger security then you can specify a 4096 bits key like below.

[email protected]:~$ ssh-keygen -t rsa -b 4096

Next, the ssh-keygen tool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use passphrase just press Enter

Enter passphrase (empty for no passphrase):

Verification Of The Key Pair

To be sure that the SSH keys are generated you can list your new private and public keys using the following command

[email protected]:~$ ls ~/.ssh/id_*

/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/

Copy Your Public Key To Remote Linux Server

Use the ssh-copy-id command to install the public half of the newly-generated authentication key into a specific user’s home directory on the remote host. Run the following command on your terminal

[email protected]:~$ ssh-copy-id -i ~/.ssh/ [email protected]

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

If the openssh-client is not installed on your system, you would not be able to run the ssh-copy-id command. If that’s the case, you can us the following command:

[email protected]:~$ cat ~/.ssh/ | ssh [email protected] "cat >> ~/.ssh/authorized_keys"

Login To SSH Server

The public key is stored in .ssh/authorized_keys file under the remote user’s home directory. Now ssh into the remote server

[email protected]:~$ ssh [email protected]

Disabling Password Authentication

Although SSH key is now used by default to log into your server, you can still use normal password to login on another machine. You don’t want hackers using brute force method to hack into your server.

To disable password authentication, edit /etc/ssh/sshd_config file on the remote server.

[email protected]:~$ nano /etc/ssh/sshd_config

Find this line:

#PasswordAuthentication yes

Change it to:

PasswordAuthentication no

Then find this line

ChallengeResponseAuthentication no

If it’s value is yes, change it to no. Otherwise you will still be asked for the password authentication.

Save the file and exit.

Then run the following command:

[email protected]:~$ service ssh restart


[email protected]:~$ systemctl restart ssh

Checking The Correct Permissions

If the above steps were followed and you are still being prompted with the password, inspect the permissions on both the local and remote user’s files. The permissions of the directories should be exactly as show below. 

drwx------. 25 oracle oinstall 4096 July 21 11:01 /home/oracle/
drwx------.  2 oracle oinstall 4096 July 17 13:13 /home/oracle/.ssh
-rw-------.  1 oracle oinstall  420 July 17 13:13 /home/oracle/.ssh/authorized_keys

If the permissions are not as show abover, set them correct using the following command:

[email protected]:~$ chmod 600 ~/.ssh/authorized_keys
[email protected]:~$ chmod 700 ~/.ssh/

Then restart the services

[email protected]:~$ service sshd restart

Disabling SElinux

SELinux can also potentially prevent sshd from accessing the ~/.ssh directory on the server. This problem can be ruled out (or resolved) by running restorecon as follows on the remote user’s ~/.ssh directory:

[email protected]:~$ restorecon -Rv ~/.ssh

Backing Up Your Public/Private Key

Once you disable SSH password authentication, it is very important to back up your ssh keys. If you lose the keys you will be locked out of your server. Back up your public/private keypair to a safe location such as your USB drive.

[email protected]:~$ cp ~/.ssh/id_rsa* /path/to/backup/location/

You can copy the key pair to a new Linux computer and ssh into your server using ssh keys. Once you copied the key pair to a new computer, you need to change the owner of the key pair to the user on the new computer.

chown new-user:new-user id_rsa*

And then move them to .ssh/ directory of the new user.

[email protected]:~$ mv id_rsa* ~/.ssh/

Changing Private Key Passphrase

If you want to change your private key passphrase, you can run the following command:

[email protected]:~$ ssh-keygen -f ~/.ssh/id_rsa -p

You will be asked for your old passphrase and then the new passphrase.