Setting up passwordless SSH access on Linux
SSH stands for Secure Shell Host. It effectively allows you to access the terminal (shell) on a remote machine – securely.
There are two ways to validate your identity when attempting to access a server via SSH: password, or SSH key pair.
Password authentication is the default method: you run a command similar to ssh myuser@myserver
, and you will be prompted to provide the password for the user myuser
on myserver
. Pretty straightforward. The only real weakness here is the password: it may not be secure enough, and it can always be brute-forced.
There are a few methods to improve the security of an SSH server. One might be to limit the number of failed attempts anyone is allowed to have at guessing the correct password before being blocked. Another might be to limit the number of connections per minute anyone is allowed to make.
But the most secure option seems to be using SSH key pairs. This uses a public/private key pair to validate the identity of the client. This means you can limit the clients whose requests are accepted to a predetermined whitelist, and block anyone who doesn’t pass the ID check.
Here’s how to set up SSH keys on your client machine:
- Check if you already have SSH keys: run cat
~/.ssh/id_rsa.pub
. If this outputs something likessh-rsa <lots-of-random-characters>== your.email@example.com
then you already have SSH keys generated, so you can skip to step 5. You can, if you want, generate a new pair, but that will replace the old ones, so make sure you’re not using them! If
cat
complains that it cannot find the file, it means you don’t have any SSH keys yet – proceed with step 2. -
Run the command
ssh-keygen -t rsa -C "your.email@example.com" -b 4096
. This will generate a new 4096-bit SSH key pair. -
You will be prompted to enter a location at which to store the keys. The default is
/home/your_username/.ssh/id_rsa
for the private key and~/.ssh/id_rsa.pub
for the public key. This is also the file SSH will use by default. -
Enter a secure passphrase: this is optional, but recommended. This will encrypt your private key, improving security.
-
You now have two files in
~/.ssh/
: one isid_rsa
, and contains your private key, and the other isid_rsa.pub
, and contains your public key. The public key you can give to a server or service, but NEVER show the PRIVATE key to anyone!! Doing so would compromise the security of this system! At best, never even display the contents of the file~/.ssh/id_rsa
.
Now that you have your SSH keys, you need to share your public key with the servers you want to connect to.
Services like GitHub or GitLab will have an online interface for this, where you can copy-paste the contents of ~/.ssh/id_rsa.pub
to add a public key. A handy way of doing this is the program xclip
(which you may need to install first with sudo apt install xclip
):
cat ~/.ssh/id_rsa.pub | xclip
This will copy the contents of ~/.ssh/id_rsa.pub
to your clipboard, so you can then paste them in the corresponding field.
On a custom server however, we will need to manually add this to the authorized keys on the server-side. To do this, we can use SSH:
cat ~/.ssh/id_rsa.pub | ssh myuser@myserver 'cat >> .ssh/authorized_keys'
SSH will prompt you for the password to myuser
, and then it will append your public key to the file /home/myuser/.ssh/authorized_keys
. After this, you will no longer be prompted for the password when connecting to myuser@myserver
!
Disabling password access
As an added security measure, we can disable password access to the server completely. This means only computers which have an entry in the server’s authorized_keys
file will be allowed to connect. This way we prevent people from attempting brute-force attacks completely, as an SSH key is virtually impossible to guess.
In order to do this, you must access the server (either directly or via SSH), and open the file /etc/ssh/sshd_config
(e.g. with nano /etc/ssh/sshd_config
). Next, find the line
#PasswordAuthentication yes
and change it to
PasswordAuthentication no
Finally, restart the ssh
service to apply the changes:
sudo service ssh restart