How to SSH without password
This simple tutorial explains how to SSH to a remote machine without typing your password. You can use this technique if you find yourself logging in to the same machine frequently and find typing your password tedious. It is also useful in scenarios when you have a script which needs to pull some files from a remote machine or perform a task on a remote machine via SSH, and you want to run this script automatically without having a human to type a password.
These instructions work on Linux and Mac. You can achieve the same result on Windows using Putty, but I haven’t documented the putty specific instructions here.
Goal: to login from local machine to Remote server via ssh without typing password
Step 1 of 2 : On local machine: Generate Authentication Keys
Authentication keys are a pair of private and public keys. The public key is [like] your login. Unlike a conventional login name, the public key is 2-3 lines long and looks like gibberish. Don’t worry, you never have to type it manually. Your private key is [like] your password, but much longer that a regular password. You can generate your public and private keys by typing the following command:
ssh-keygen -t rsa
Generating public/private rsa key pair. Enter file in which to save the key (/home/vineetmanohar/.ssh/id_rsa):
Accept the default choice. Hit enter.
Enter passphrase (empty for no passphrase): Enter same passphrase again:
Hit enter twice. A passphrase encrypts your private key so that no one can see it. However, you should NOT encrypt your private key if you want a password-less login.
The key fingerprint is: 5e:26:52:34:a1:22:18:68:11:11:7d:8d:c6:d5:4b:bf vineetmanohar@vineetmanohr.com
What just happened?
On your local server you just created 2 files in your ~/.ssh directory.
cd ~/.ssh ls -l
-rw------- 1 vineetmanohar vineetmanohar 1675 2009-07-17 17:27 id_rsa -rw-r--r-- 1 vineetmanohar vineetmanohar 411 2009-07-17 17:27 id_rsa.pub
id_rsa contains your private key. id_rsa.pub contains your public key.
Step 2 of 2 : On remote machine: authorize password less login
Login to remote machine
ssh hostname -l username
The authenticity of host 'vineetmanohar.com (XXX.XXX.XXX.XX)' can't be established. RSA key fingerprint is 44.2b:93:ce:1b:1b:99:3a:6d:91:d1:50:aa:0d:87:40. Are you sure you want to continue connecting (yes/no)?
Type yes and hit enter.
Warning: Permanently added 'vineetmanohar.com,XXX.XXX.XXX.XX' (RSA) to the list of known hosts. username@vineetmanohar.com's password:
Enter your password, and hit enter.
Create a .ssh directory on the remote machine and create a authorized_keys file in that directory. You need to copy the entire contents of your local machine’s ‘id_rsa.pub’ and paste it in the .authorized_keys file on the remote server.
mkdir -p .ssh chmod 700 .ssh cd .ssh touch authorized_keys chmod 600 authorized_keys vi authorized_keys # copy-paste the entire contents of your local machine's ~/.ssh/id_rsa.pub file in authorized_keys # logout exit
Important: Make sure you have the right permissions for .ssh directory and authorized_keys file, as shown in chmod command above otherwise SSH will not honor your authorized_keys.
You should now be able to login to the remote server without typing your password.
# type this command from your local machine ssh hostname -l username
SSH should log you in without password! Now, you can also scp or rsync (over ssh) without having to enter your password.
Related posts:
Nice timing, I was just wondering if there was a way. You should add ‘scp’ as a keyword
You can try this tutorial at Arul’s website, its somewhat easier and I use it always.
The most common problem setting up the password free ssh is getting the permissions of .ssh directory and authorized_keys file right (see the last section above).
Mark, the tutorial that you are referring to above is simple, however it misses those important steps. I have personally wasted a lot of time debugging situations where ssh asked me for password because the permissions were wrong. Please make sure that the permissions on the remote server are correct to avoid unnecessary debugging.
useful and well organized.
I come across this while searching for a way to SSH without a pass between several SUSE stations which SHARE THE SAME $HOME. (the same mount point). Im using OpenSSH_4.2p1, OpenSSL 0.9.8a
Unfortunately this procedure failed to solve my issue (nor the one founded here: http://www.unix.com/sun-solaris/45763-ssh-shared-mount-point.html)
thanks
Hi Mircea, what error do you get?
Basically no errors but always prompted for the password.
Meanwhile (actually after 2 days of hitting my head on the wall) I have someone fixed this, I quote him: “The main fault was the home too open …. Rwxrwxrwx for home and for .ssh is considered tampered home and ssh will refuse to load .ssh/* files”
Remember to do the following on the server side:
chmod 700 ./ssh.
chmod 640 ./ssh/*
Thanks bro!
Worked a charm between macosx and linux
you saved my life, thanks a lot from Peru.
This was exactly my problem too ->
Basically no errors but always prompted for the password.
Meanwhile (actually after 2 days of hitting my head on the wall) I have someone fixed this, I quote him: “The main fault was the home too open …. Rwxrwxrwx for home and for .ssh is considered tampered home and ssh will refuse to load .ssh/* files”
I just chmod 755 root and it finally worked.
I was google on how to setting the SSH without key-in password. At last your tutorial gave successfully on my SSH testing. Thanks so much
Interesting, I have never ever been able to get this to work. No matter what I change the permissions to, or if I use rsa, or dsa. Forgive me for asking but does this not also depend on the the sshd config file on the server being set correctly, otherwise I don’t understand how it would work.
Works as advertise. Nice job.
Thanks Vineet,
It works for me!
Thanks for posting this. It’s a very clear and concise tutorial.
In “Create a .ssh directory on the remote machine and create a .authorized_keys file in that directory. You need to copy the entire contents of your local machine’s ‘id_rsa.pub’ and paste it in the .authorized_keys file on the remote server.” and “Important: Make sure you have the right permissions for .ssh directory and .authorized_keys file, as shown in chmod command above otherwise SSH will not honor your authorized_keys.”…did you mean to say “authorized_keys” and not “.authorized_keys?”
Thanks for the comment. Yes, I meant “authorized_keys” and not “.authorized_keys?”
If the system is hardened, will this still work?
What do you mean by “system is hardened”?
Hi,
I have tried to follow the steps and i have saved the public key for rsa and dsa on both the server when i try to do a ssh from one server to another server its asking me for password.
Note both the server are in work group they are not the part of the same domain
second i have put the entry for server in host file but still when i do a ssh its asking me password or i get no route to the host;
Wat can be done to fix the issue if any one could help me with this…
Hi Its asking me for the password i have changed the permission of file from 644 to 777 still the issue persists i have also tried 755 wat else can be done could any one help me with this.
@Taiyeb Please confirm the following:
1) You have copied the contents of your public RSA key to your remote authorized_keys file.
2) Your authorized_key directory has permission “600″
3) Your .ssh directory has permission “700″
If this doesn’t work, try start from scratch by removing your local and remove .ssh directory.
Hi frds,
Please check permissions of home dir. Dont give write permission to group and other.
Just wanted to thank, hours hitting my head on the wall jeje…from one server worked and from the other one not…both identical. Googling and googling…all the permisions in .ssh/ were right.
Then I entered to this…home too open??? one of my homes were 700 and the other was 770 (the one that did not work)…modified the 770 for 700 and solve. Thank you very much. Manuel
Thank you for the help. I’d been looking for hours trying to figure out why SSH was still prompting for a password until I found this page. My error was “home too open” as well. I set the .ssh and file permissions as specified but $HOME allowed write at the group level. Backed that off so write permission was for owner only on $HOME and, voila, no more prompt.
thanks .. very easy to setup
Hi!
Since years, this article is my reference whenever I’ve got to configure ‘ssh without password’.
Thanks for that.
I think there is a small error in: ‘ [...] remote machine and create a .authorized_keys file in that directory [...]‘. The ‘.authorized_keys’ should probably be ‘authorized_keys’
You can avoid using vi(m), if you use:
cat id_rsa.pub.somuser_somhost >> authorized_keys
instead
All the best, Armin
Armin, thanks for your feedback. I’ve fixed the mistake.
Hi All,
I having an issue in SSH while connecting from Unix to Windows… (I dont have any issue in connecting from windows to Unix). I have done the changes in SSH_COnfig and SSHD_Config files, some of the parameters if i have changed it gives me permission denied. Can some one please help me on this issue..
Hi vineet ,
These instructions will work on AIX,if so could you please document result on Windows using Putty.
Hi Vineet,
Thank you for your efford to help all of us. Also I would like to thank Mircea for the comment that helps me resolve my issue. SSH stops working after server rebuild. The reason is that we leave home directory “WIDE OPEN”.
I follow your instruction, but it doesn’t work:(
hi,
i tried the same steps mentioned above it doesnt work,
Can you double check the file permissions of .ssh directory and authorized_keys on the remote server (see article). This is the most common cause when it doesn’t work.
Does rlogin or rsh work on Mac OS 10.6.3 or later. Is there any way to connect to Mac os machine with rsh or rlogin?
Thanks a lot.
rsh, telnet and rlogin are disabled by default on Mac OS. ssh is the standard way to connect to Mac OS since 10.0.1.
If you have a specific need it can be re-enabled, follow the instructions here: http://support.apple.com/kb/TA20443
Thanks for the reply. I already went though the link you sent before, but in the mac os machine, there is no /etc/inetd.conf file there. Can I just created a new one?
Thanks again.
Not sure, but I would try creating /etc/inetd.conf and see if that works. You might have to sudo to do that.
I followed the steps provided on this page and things didn’t work. I’ve looked around at other sites, and one commented on /etc/ssh/ssh_config file needing the line:
IdentityFile ~/.ssh/id_rsa
to be added. So it appears there is a way for system administrators to disable this functionality. It may also have something to do with the sshd_config file in the same directory.
I’ve been through this tutorial and a few others out there and I simply can’t get it to work. I have started from scratch by removing my local and .ssh directory. I have done the cmod steps and no matter what I do I get asked for my password. Both the local and server are running OpenSSH 5.8 and 5.9 respectively. Please let me know if you can help me. Thanks so much for your time.
(Not mentioned in the post) You should chmod on the server’s home directory as well (in additional to the ~/.ssh directory).
ssh user@host(enter password)
chmod 700 ~
If you server’s home directory or is “too open” then ssh will not honor the authorized keys.
I removed my user directory again and restarted. I did every step above as well as chmod 700 ~. Is there anything else i can check or do? I’ve configured the sshd_config file. Is there any way to generate a new sshd_config file. Maybe i screwed something up in there. Here is the output for ls -l in my .ssh directory:
$ ls -l
total 6
-rw——- 1 Bad Ass None 410 Nov 9 09:37 authorized_keys -rwxr-xr-x 1 Bad Ass None 1679 Nov 8 15:58 id_rsa -rwxr-xr-x 1 Bad Ass None 410 Nov 8 15:58 id_rsa.pub
Bad Ass@ROBSCOMPUTER ~/.ssh$
for some reason when i ls -l from the root i cannot see the .ssh directory to give you that output, possibly the problem? Also i’m not sure how to show the permissions for the root after i did the cmod 700 ~.
Again thanks for your help, i’ve been driving myself crazy trying to get it to work, 2 days literally.
The reason you can’t see the .ssh directory is because directory names starting with “.” are hidden. To see it you need to use the “-a” flag:
cd ~
ls -al
Anyway, can you run a few more command and paste the output:
1) On the server side:
ls -ald ~/
ls -ald ~/.ssh
2) On the client side:
ls -ald ~/
ls -ald ~/.ssh
1) On the server side:
Bad Ass@ROBSCOMPUTER ~
$ ls -ald ~/
drwx——+ 1 Bad Ass None 0 Nov 9 10:17 /home/Bad Ass/
Bad Ass@ROBSCOMPUTER ~
$ ls -ald ~/.ssh
drwx——+ 1 Bad Ass None 0 Nov 9 09:36 /home/Bad Ass/.ssh
2) On the client side:
ls -ald ~/
drwxr-xr-x 9 mobile mobile 374 Nov 5 11:41 /var/mobile/
ls -ald ~/.ssh
drwx—— 2 mobile mobile 170 Nov 6 16:36 /var/mobile/.ssh/
I didn’t see any obvious issues with the above.
Can you send a few more things:
1) Output of the following, on the client side:
ls -al ~/.ssh
whoami
2) Output of the following, on the server side:
whoami
3) What is the exact ssh command you are using to login? Just trying to confirm if the username on the server side matches correctly?
1.
ls -al ~/.ssh
drwx—— 2 mobile mobile 170 Nov 6 16:36 ./
drwxr-xr-x 9 mobile mobile 474 Nov 5 11:41 ../
-rw——- 1 mobile mobile 1679 Nov 8 15:26 id_rsa
-rw-r–r– 1 mobile mobile 410 Nov 8 15:26 id_rsa.pub
-rw-r–r– 1 mobile mobile 442 Nov 5 11:42 known_hosts
whoami – mobile
2
Bad Ass
ssh -p 2008 “Bad Ass”@XX.XXX.XXX.XX
Any other thoughts for my sanity sake…I’ve been working on this for ever, i just can’t figure out what i did wrong.
Rob, I don’t see anything obviously wrong. So let’s try to debug this further…
1) Try the “-v” option on the client side.
ssh -p 2008 “Bad Ass”@XX.XXX.XXX.XX -v
Do you see anything interesting here… if possible can you paste the output.
2) On the server side, see the output in the /var/log/secure file.
tail -f /var/log/secure
Anything interesting there?
3) On the server side, can you take a look at /etc/ssh/ssh_config file. I looked at my file and it is almost empty, with just a few lines:
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
Can you paste the content of yours, especially if you see any interesting lines.
4) On the server side, try running the sshd server in the debug mode. See “man sshd”, the “-d” option:
-d Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. Multiple -d options increase the debugging level. Maximum is 3.
Hope one or more of the above helps.
Thanks, i’ll work on those.
Vineet,
I got it working! I had to change a line in the sshd_config file. It wasn’t looking in the correct location for the authorized_keys file. I had “~/.ssh/authorized_keys”, i replaced it with “/home/%u/.ssh/authorized_keys” and it worked. Thank you for your time.