How to Set Up Passwordless SSH Login With SSH Keys

How to Set Up Passwordless SSH Login With SSH Keys

Many novice users to Linux are surprised to learn that the most secure method to connect to another server with SSH is using keys.

We computer users have been conditioned to use passwords for everything.

It’s surprising to learn that there are methods other than passwords, but there is something better: cryptographic keys.

In this tutorial we will learn what SSH keys are and why they are better than passwords. You will learn how to set them up on your computer and how to use them to login with SSH without a password.

What are SSH keys?

Public key cryptography refers to a cryptographic system that uses key pairs.

The pair is represented with two files, one is designated as the public key file and another as the private key file.

These key pairs are generated by utilities like openssh using cryptographic algorithms. Which algorithms to use depends on user choice.

The effectiveness of the keys are based on how private and secure we keep the private key file.

The public key file can be distributed to any other computer or server or even fall into the hands of the open public internet and the security of our keys will not be compromised.

The system consists of distributing the public key to a server, the server using this key to open an SSH connection only if the computer login in has the private key pair of that public key.

When our local computer initiates a login attempt at a server, the two key files communicate and open a connection using symmetric key encryption.

This communication is encrypted and even if the internet connection is insecure, no one outside these computers can decrypt this communication.

The main security comes in the way the key pairs initiate a connection.

As opposed to using passwords where the initial login happens in an insecure manner of transmitting the password to the server, using key pairs initiates the connection in encrypted form.

Making cryptographic keys like SSH keys much better than passwords.

What are Encryption Algorithms?

The first step to using SSH keys is to generate one key pair.

First of all we have to decide which algorithm to use to generate our keys. There are a few to choose from.

There are RSA, DSA, ECDSA, and EdDSA. All of these algorithms are used for asymmetric encryption, but the way they go about working is different.

  • RSA is the gold standard of cryptographic algorithms. Originally developed in the late 1970s, it uses integer factorization, an algorithm based on the difficulty of factoring large numbers. Over the years RSA key bit lengths have grown in size making it still viable to use today.
  • DSA, the Digital Signature Algorithm was developed by the US government. It follows a similar schema to RSA but goes about working with Discrete Logarithm Problem, an algorithm based on the difficulty of computing discrete logarithms.
  • ECDSA is a new modern Digital Signature Algorithm developed by the US government based on DSA. The algorithm is based on using elliptic curves.
  • EdDSA is another algorithm using elliptic curves based on DSA but using an implementation much more secure than ECDSA. It uses the Twisted Edwards Curve and the Curve25519. Together they make the public key signature algorithm known as Ed25519.
That leaves us with RSA and Ed25519.

RSA can be used but a key size of at least 2048 bits is recommended and 4096 bits is better.

If your aim is to have the most compatibility, choosing RSA is the way to go.

Ed25519 is the most popular key encryption algorithm today used by most DevOps. Overall ed25519 is the fastest performing algorithm.

If you’re working with modern servers and newer Linux distributions, compatibility will not be an issue and thus choosing ed25519 for its speed is the way to go.

Generating SSH keys – RSA 4096 bits

Deciding on which SSH key pair algorithm to use boils down to RSA and ed25519.

RSA is the most widely implemented and supported algorithm used by most clients.

ssh-keygen -t rsa -b 4096

Here we are using a utility that is part of openssh named ssh-keygen, we invoke it to generate a key pair for us.

With the -t option we tell it which algorithm to use. In our example we chose the RSA algorithm.

With the -b option we specify the number of bits in the key to create. In our example we chose a 4096 bits key.

After inputting the command it asks us for the name of the key. We can give it any name but if we leave empty like we did it gives it the default name.

Then it asks us for a passphrase.

If we list the files in our system user .ssh directory where all of our SSH files are placed in, we see two files were created.

word image

There is a file named id_rsa and another one named id_rsa.pub.

The Public Key (.pub File)

The id_rsa.pub file contains the public key of our key pair. If we print the content of this file we can see its format.

word image 1

The content starts with ssh-rsa that indicates that it’s a RSA key following a long string of characters that make up the public key.

At the end it follows the system user and system hostname of the computer that generated the keys. The last part, the user and hostname, is just for identification purposes and can be altered without affecting the key function.

Checking the SSH Key Fingerprint

The SSH key fingerprint can be checked with the following command.

ssh-keygen -l -f ./id_rsa.pub

Make sure to input the -l option to indicate that we want to show the fingerprint of the key file and not generate a new one.

It will print the bit size of the key, followed by the key fingerprint, the system user and hostname and type of algorithm used.

This is how we check what type of keys we have on our system.

word image 2

The Private Key

The other file created was the id_rsa file.

This here is the most important file that you must guard.

It shows a file with a long string of characters created with the RSA algorithm.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBScuqX1a
euFTqDqC34sHwWAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQDf4lXBSopk
r3qclD09t6HlEB7n7dxDyBQkpoLtJxVL1+BT0CiZ+J3uzarZT6rQXU5Dq/aPSp4D7YrFK9
9+GnrQMp67MQnFUjLiZ3T4pXkhBzUsBC0uiFfMwf9i/diBoTUKtXgYsKjb9KOLzw97cGFi
sRv8Z9BLVfB60og5hjSM2ih4eioG1Yrxpxyb7dFywPWpnYr/zg1Gqlo1MaBrb0MrUCSyrD
9XPRBanQaafw0WshmAK0svNR8l8cmsX21gjE4rjzzImQeUe1P/wPt0poABV3JTNa+dal6+
TtByyYqyIh81aOK17A66SHHKBfpJu1A/JU5CM//lMJAW+RYKVI4fDaPezR/aIsq4u8ujVe
xasfEV0RkyV9KJFmziSAedXo5D1UXZ6lgumODUJdCjiSxKBe8Brl6zq19DmA4v4+6P3FLM
w/17lNcqf5+JxLhSqArqEc2NakTmvqcLgZ8KysSNAXwDOilOB3q1VZfIaEupXb8uF1qbi0
rjLHqyZFYjCYw4emcZWYO7UkDLdKuGeXrA1BFI/xHL/8xEI1gbUXTUwijXxzCFf8BPnlm+
Qu5Jyj6YFCuDA/8ufyONVO5vfAW8V9qgTWaif/6S+6ShH6wFrPEjy0R9q+D5gG79j5NcUK
BEsmn8xtzsibmNQtmeaGsGIlK3bJrecS/rr+F0ilW+EwAAB0CcxkWaYUJkOBDKgId4UWWW
v2jhlymC/mpijyoy2jbxcW2GYIqEr8+YDrEB3FzGNFq5nOlgkqYELM5Vdeg1NxoDF5amOu
2kF15Bu0mUSjtXJyYmpTk8yUVJp601OzLWhhT6GDIx/PGD/DqwpMyqJV1hDSv8ENrnHbtf
sUXRA1qIzNv5Dct2AnEM2h0jTAEH4NSFYz8f5+w65fNkfUQh2GA6Ka/tjvhrE9/81I4HNh
x3b/g3yse82tYDvvzjPqL+3qASjuwkTl24vL92RzEga2GoJ6YvgCWYyPCfgK5nswKIMi6Y
hgIjV0+6VkvBgl/vF4jIv+RppoRTBt5zkzSfETw3gbTfMYUpnYksrqzjPZY2+mdvB0wq+T
CBmA4ToST0bVv7WP+OzhHf72ZfNsgBhUh6qK4CZl9iyrwuuGIObW78yV4GqrEoD0lRijkZ
kDZAlx0X3wfj7Ex20QgMAd1sFMDCfpdJeuNnOBd9lXHkLkNTnycHRPBz0oU29Kuj1tx+Cl
EfDNAL/Y7+ZU0HOBbsUoPABOG7K2hlryzeyyVpey8B9Z1WX04vBXmL6nZOsydxHgcYgnpp
xuGfjEWe0I9iDYZGbFT2ulM0ZeF1Q6fa57jEioSyFwOTvTHIMcZUVss7T5k+PetAQDKxRU
bsnAdnN8zl5LcXl0gCI1pwNxlQDcDLDL0eIX13KvtmpHe/IbwxoW8rKBWU3KFlT9zxgVwb
AZfNRkKp17pUNCipSya6eaUUrLES3AsSwLAdtgK30U0i73mzWyw8i+TNYFarJctun2ccf4
RcOmqlroa2fkVbH0iHlHXLoa0h18yQhYI7NBUPKSQULi0bRyUpMtnxwoceTP8rvEIyM5W7
XAOPnEkTplpK48HzszkCi+IdNqkDb2r7QhUKm3XeLlGuOBCQuhr2ovB/Z59kJ5821n2L9G
GFp2kMIF1uir8D81SxrAmwshT0sdYZ+m0z5QLu9IHRcLwUdZxKjScp3xUEtudrJePwKDWi
YysUJWjssSuowvvNI5KmBJjT9Mjx73ZOyOH1sKESGxM7ZBytp+JNpCm3VlUzKGy+0gxE5x
S7N7nstM4dcI4tasTC1z5v2tOBgrQXKHoInYRPWPTahVKqumC3i9DMalWDIxS4R9IOEpEf
wrf0wDSG/gRZ23R+rZOyW3McmV4OA6dDQu/o4TfIEuv9xUYWG0mOPni6GSm5pEV0ijyaH4
lPDjhIiW73zBDe28hALiXcHbrFBjLal7OWjMkPkYHxSsd7UVhbUANVbs2AEXcPcTPNAyrP
La9nxEOPik++gHEgM/Hhnld42BaI8h0RsNmdwLH86EtkhbewKUvV5jiYtFIFylFLAzYwCt
FvCcVmZoh5fWWJ/6IuM7forWUVC7g1KKbw6RCBLd3zvMy8ZB1tE569EzoY3BpawkzuvMyw
G8w+BycCkXujSDAzliZnPxHvL6g8MJFcqm9VAPKsiFIkkm/kziUDlF6c+UaEEYkTgQt8AD
ZMloc1iooq9XgR8hKWILJaqAdTt+s9HHfvCScwOLjuJo6I8Zp1NjcUd8EShkKrgvNu7iLW
bS5eV2xztKzBH3i5MbJvSCe1Q57rawgk14AKw5Be6/eCzL6NLNmEUZICkCE2SbMN7lXpSg
AddNi+C5+c76/2CpAQEhYWdnq7p5Js/N2VrzT7ZIcsloVb/ATiY/gugVSXC8wTS8R8NjFg
sG+IV11rhcYX/LQAxv55xZVfzi3jdzJZPZC6u1w1b4bNFY5kyXWplJxE4BfpKkQKrdVfiY
xqW477AGW9JH7OtDky5984x8ESVB8pvREDPDvdaVxtnmbl5KwVxUUcnGseNWw9a05sI9bq
M0C4oMqMIrP4sk5bayG8i2tH0ZHi9rULrKNuXT1RKBaXM8aOSKL83lcuAokU/FkEg1nHAF
oIy/VAhrK1dQbjcMWueGmT3LkCeeGvJeW4XFe8eTWt9ZhdcEswKREnVeImO2Vz9+rS1FVK
WBTX/3k2qGx7lVarcxaW+z4Sj6Qln3WqCsYooFkxZqPzE4jn+x0Q5PXBZ4HCLZMPUD7vdf
5K4u0P7T0w4fDj2CAUd6s/IdKiGx5AeeKJYmV+Tiqub6D6Q2o1hKSEEQVFNT/t5JNzXNYs
LIfWzx0MY2vsPf3mU7rguJz7Q8JEQksDkBw04CQApusPvGhgthUnf2qEL7qH3//rCFrrKM
5XNAv2djMeWhgHMzhJz1dujZPNqFATSXLD3C3+t/idj310HiKERCLyQJn4MOJ/15KMrE4p
ek0AwLvZnA0OahqCw+L8CF1+vNFuW7OZ9NcbBCwhj5PZLvf/GKYCmBqQdOmY0RzMbva/2H
IOPIUPyv4e/A4j6g50jH1Vno4UwmXaQVJVK0ie4CR+RjcgEUWqMUWrju4CD2fFjIfGkj5v
J2/DgbUcyQp14tuVccvLsaiBBjy8eJF1kw8FS/KK5oppAz2eOohWMZHX2edNlNL7HkP8Jy
C3hQ==
-----END OPENSSH PRIVATE KEY-----

 

I will stress one more time that you must never publicly share your private key.

The public key is fine to spread around on servers and if it were to leak publicly online there wouldn’t be a problem.

But if your private key gets leaked online it is considered unsafe, and it’s time to generate a new one and update all of the servers as fast as possible.

Generating SSH keys – ed25519

Talking about generating keys, let’s create another one.

This time let’s create an ed25519 key. For most part this is the most recommended key algorithm to use nowadays.

Unless you have specific needs to access legacy systems where openssh hasn’t been updated in a long time, using the ed25519 algorithm is the way to go.

ssh-keygen -t ed25519

Again the process is identical like when we created our RSA key:

  • It asks us for a key name, we left it empty to use the default one, which will be id_rsa for the private key, and id_rsa.pub for the public key.
  • It asks us for a passphrase and we give it one.

word image 3

In the above demonstration by listing we can see the two new files created in our .ssh directory, id_ed25519 and id_ed25519.pub. With the ssh-keygen utility we can verify its fingerprint and the type of key it is.

word image 4

Quick Note on RSA 4096 vs. Ed25519

Furthermore we discover something interesting about the ed25519 keys.

word image 5

By printing the content of the ed25519.pub public key file we notice that the key size is a lot smaller. Compare below the two public keys.

Ed25519
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINokoj43W40RhLRIhYJqM350sUI8LA6ElCmb9V+BPJ3d [email protected]
RSA 4096
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf4lXBSopkr3qclD09t6HlEB7n7dxDyBQkpoLtJxVL1+BT0CiZ+J3uzarZT6rQXU5Dq/aPSp4D7YrFK99+GnrQMp67MQnFUjLiZ3T4pXkhBzUsBC0uiFfMwf9i/diBoTUKtXgYsKjb9KOLzw97cGFisRv8Z9BLVfB60og5hjSM2ih4eioG1Yrxpxyb7dFywPWpnYr/zg1Gqlo1MaBrb0MrUCSyrD9XPRBanQaafw0WshmAK0svNR8l8cmsX21gjE4rjzzImQeUe1P/wPt0poABV3JTNa+dal6+TtByyYqyIh81aOK17A66SHHKBfpJu1A/JU5CM//lMJAW+RYKVI4fDaPezR/aIsq4u8ujVexasfEV0RkyV9KJFmziSAedXo5D1UXZ6lgumODUJdCjiSxKBe8Brl6zq19DmA4v4+6P3FLMw/17lNcqf5+JxLhSqArqEc2NakTmvqcLgZ8KysSNAXwDOilOB3q1VZfIaEupXb8uF1qbi0rjLHqyZFYjCYw4emcZWYO7UkDLdKuGeXrA1BFI/xHL/8xEI1gbUXTUwijXxzCFf8BPnlm+Qu5Jyj6YFCuDA/8ufyONVO5vfAW8V9qgTWaif/6S+6ShH6wFrPEjy0R9q+D5gG79j5NcUKBEsmn8xtzsibmNQtmeaGsGIlK3bJrecS/rr+F0ilW+Ew== [email protected]

The ed25519 public key is a lot smaller.

And we saw before how big the RSA private key was, compared with the size of the ed25519 private key.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCt58afYM
JKRWUwL7fdrlI6AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAINokoj43W40RhLRI
hYJqM350sUI8LA6ElCmb9V+BPJ3dAAAAkDI/41TSWGfbcd+KIpGZ4P6zxOAdXQxQYnVqdF
SBVMJL2ODAssd4pY7AvihYLqc+D+IXusH/dFNtm2eX33bd8STIK8p6Vlm/ktmplxL67gxt
jrR9dcer/q2I4NCW7dZZxx4/Xefj90dMEmEQmEBpLZybs3G+pFeFkgz6Oz5IJc846+FwzA
CQeDewz/r/dWE5ww==
-----END OPENSSH PRIVATE KEY-----

Setting up Passwordless SSH Login

Now that we have two sets of SSH keys, using two different algorithms, we can start using them on our servers. The next thing to do is to copy the public key (id_rsa.pub, or whatever you named your .pub key) to the server.

With another openssh utility named ssh-copy-id we’ll copy our public key to the root system user at the server 178.62.251.218.

ssh-copy-id is a command for copying your public key to a remote server. It is a helper command used to copy the local user’s public key to a remote server’s authorized_keys file.

It will append your public key to the remote server’s ~/.ssh/authorized_keys file. authorized_keys is a file in the .ssh directory of the user’s home directory on the server that lists the public keys that can be used for logging into the user’s account.

ssh-copy-id [email protected]

It asked us what was the password of the root user so the utility could login and install the public key on the root system user’s authorized_keys file on the server.

If we wanted to copy only one of the keys we specify which one with the -i option providing the location of the public key file of the key pair we want to add.

ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

Login Using Your SSH Keys

Now that our public keys are copied to the server we can connect to them using a simple ssh login.

ssh [email protected]

This time we are logging in to our server with the root user but this time it’s not asking us for the server user’s password.

It simply let us through because both machines, the server and our computer established a cryptographic symmetric connection.

And like that we login to SSH passwordless.

It’s important to note that we also set up a passphrase for our SSH keys, but we weren’t asked to enter it.

The default behavior when connecting with keys is for the ssh utility to ask us for the passphrase of the key on every use.

While our example didn’t ask us for it, that is because there are lots of utilities throughout all the Linux distributions that can handle the ssh keys login passphrase for us.

There are too many distributions and utilities that handle this behavior that it’s too many to go one by one.

Some people are against using this type of utilities but in general it’s considered a good balance to secure the key with a passphrase and unlock it automatically when login into our computers.

That way if the computer gets lost or stolen the keys won’t be compromised as long as the computer user is set up with a password.

Passwordless SSH Login In The SSH Config File

There’s an even easier way for us to login to our servers using our passphrase unlocked keys.

If we add our server connection info in an stanza with this format in the SSH config file:

Host larrycurlymoe
HostName 178.62.251.218
Port 22
User root
IdentityFile ~/.ssh/id_rsa

We can direct ssh to use this connection information by invoking the connection with the Host portion.

ssh larrycurlymoe

See how easy it was to login to our server? Simply invoking it with the Host nickname we gave it in the config file let us login automatically.

Conclusion

This setup we saw in the last demonstration is beautiful because we are using a highly secure method to connect to our servers in an easy convenient manner.

We are using the cryptographic keys to establish an encrypted connection.

We are using a passphrase to secure our keys on our machine. The passphrase is unlocked when we login to our computer’s user. And we are using the SSH config file to nickname our connections to make our admin life easier.

This method is the highly secure way most of the professional system administrators login and manage their server fleet.

While at the enterprise level there are even more secure and audited methods, the way demonstrated here in this tutorial can be considered good enough for production use. So start using SSH keys and start forgetting about passwords.

0 Shares:
Subscribe
Notify of
guest
Receive notifications when your comment receives a reply. (Optional)
Your username will link to your website. (Optional)
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Martin
Martin
13 days ago

Mercí!

You May Also Like