Using a public/private key pair for auto SSH login

forgot-password

In this post we cover how using a public/private key pair for SSH, you can enable automatic login to remote machines and (if you use a passphrase protected private key) you can improve the security of your communications.

Reading time:
3 min

Overview

To allow auto login (no password) to other machines and still maintain the security of your ssh communications, you can use a public/private key pair where (ideally) the private key is passphrase protected. Note that if you don't use a passphrase you're weakening the security, so we recommend you always protect the private key with a passphrase.

Creating a public/private key pair

To create a key pair run the following command on the client:

ssh-keygen -t rsa -b 2048 -C "Your comment for the public key"

The image below shows the series of prompts you'll be presented with:

The key pair get generated into the .ssh directory in your home directory (if the .ssh directory does not exist, ssh-keygen will create it).

In the example above, id_rsa (the passphrase protected private key) and id_rsa.pub (the public key) are created and placed in the .ssh directory. The -t tells ssh-keygen which type of key to generate, in this case, we've generated an RSA key. See below for a brief discussion of the available key types. The -b 2048 is used to set the key size in bits. The -C is used to add a comment which is used purly for informational purposes (that is to help distinguish between different public keys).

The randomart produced is just a way for humans to visually compare keys. If VisualHostKey in /etc/ssh/ssh_config is set to "yes" the randomart of the remote key is displayed when you login.

Note that you'll be prompted to enter the file in which to save the key, if this is your first key, just hit return to call it the default name of id_rsa , otherwise use a new name. You'll also be prompted to enter a passphrase. We recommend that you do use a passphrase, as it adds an extra level of security by helping to prevent unauthorized usage. If you choose not to use a passphrase, just hit return twice.

After generating a private key, you'll need to add the private key to the authentication agent using (you'll be prompted for the passphrase - if you used one):

ssh-add

Note if you've not used the default key file name, you'll have to specify that when you call ssh-add for example:

ssh-add my_private_key

And remember, keep the private key private!

Now you'll need to copy the public key to the server (use your own server's IP address in place of 192.168.0.7):

ssh 192.168.0.7 "echo $(cat /home/tutonics/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys"

You will be prompted for the users password, but from then on no password will be required for that user. Note that the double >> is important, if you use a single you'll overwrite any existing keys on the server!

Also, note that if you reboot, you'll have to re-enter the passphrase to "unlock" the private key. In some cases for example if you're using keys for a script to auto login and won't have the opportunity to enter a passphrase if there's a reboot, it may be more practical to use use no passphrase, but just bear in mind that removing the passphrase weakens security.

Changing the passphrase

To change the passphrase, use:

ssh-keygen -p

You'll be prompted to enter the location of the private key file and the old (if you used one) and new passphrases.

To remove the need for a passphrase, just hit return twice when prompted for the new passphrase.

RSA vs DSA

When creating a the key pair, the type of key generated is specified using the -t option. The options are rsa1, dsa, ecdsa, and rsa (for rsa protocol version 2). We used RSA because of the larger key length (dsa must be 1024). It's also the default, so if you omit the -t option, RSA gets used.

Thank you for reading this article.
Please share if you liked it.