How to Setup Passwordless SSH Login
Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are passwords based authentication and public key based authentication.
In this tutorial, we will show you how to setup an SSH key-based authentication as well how to connect to your Linux server without entering a password.
generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file
Setup SSH Passwordless Login
To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file.
The following steps will describe the process for configuring passwordless SSH login:
Check for existing SSH key pair.
Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys.
Run the following ls command to see if existing SSH keys are present:
ls -al ~/.ssh/id_*.publs -al ~/.ssh/id_*.pubIf there are existing keys, you can either use those and skip the next step or backup up the old keys and generate a new one.
If you see
No such file or directoryorno matches foundit means that you do not have an SSH key and you can proceed with the next step and generate a new one.Generate a new SSH key pair.
The following command will generate a new 4096 bits SSH key pair with your email address as a comment:
ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"Press
Enterto accept the default file location and file name:outputEnter file in which to save the key (/home/yourusername/.ssh/id_rsa):Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):Next, the
ssh-keygentool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use a passphrase just pressEnter.outputEnter passphrase (empty for no passphrase):Enter passphrase (empty for no passphrase):The whole interaction looks like this:
To be sure that the SSH keys are generated you can list your new private and public keys with:
ls ~/.ssh/id_*ls ~/.ssh/id_*/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pubCopy the public key
Now that you have generated an SSH key pair, in order to be able to login to your server without a password you need to copy the public key to the server you want to manage.
The easiest way to copy your public key to your server is to use a command called
ssh-copy-id. On your local machine terminal type:ssh-copy-id remote_username@server_ip_addressssh-copy-id remote_username@server_ip_addressYou will be prompted to enter the
remote_usernamepassword:outputremote_username@server_ip_address's password:remote_username@server_ip_address's password:Once the user is authenticated, the public key will be appended to the remote user
authorized_keysfile and connection will be closed.If by some reason the
ssh-copy-idutility is not available on your local computer you can use the following command to copy the public key:cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"Login to your server using SSH keys
After completing the steps above you should be able log in to the remote server without being prompted for a password.
To test it just try to login to your server via SSH:
ssh remote_username@server_ip_addressssh remote_username@server_ip_addressIf everything went well, you will be logged in immediately.
禁用 SSH 密码登录
确保可以免密登录并且用户具有 root 权限
ssh sudo_user@server_ip_address
cd /etc/ssh/sshd_configssh sudo_user@server_ip_address
cd /etc/ssh/sshd_config修改配置文件
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM noPasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM noOnce you are done save the file and restart the SSH service.
On Ubuntu or Debian servers, run the following command:
sudo systemctl restart sshsudo systemctl restart sshOn CentOS or Fedora servers, run the following command:
sudo systemctl restart sshdsudo systemctl restart sshd配置 服务器信息别名,简化连接
config
我配置了 SSH 免密登录,但是登录的时候还是需要输入密码, 会是什么问题
如果您配置了 SSH 免密登录,但是在登录时仍需要输入密码,有以下几种可能的问题:
- 没有正确地配置免密登录
请确保您已经按照正确的流程进行配置,包括生成 SSH 密钥对并添加公钥到服务器上的 authorized_keys 文件中。如果您不确定如何配置免密登录,请查看相关文档或参考在线教程。
- 权限设置不正确
请确保服务器上的 authorized_keys 文件的权限设置为 600 或 400,否则 SSH 服务器可能会拒绝使用该文件进行身份验证。
- SSH 代理未启用
如果您使用 SSH 代理(例如 ssh-agent),请确保它已经启动并添加了您的私钥。可以通过运行 ssh-add -l 命令来检查密钥是否已经添加到代理中。
- SSH 密钥文件位置不正确
请确保您的 SSH 客户端能够找到您的 SSH 私钥文件。默认情况下,客户端将搜索 .ssh/id_rsa 和 .ssh/id_dsa 文件,如果您的私钥文件位于其他位置,请确保在连接时指定正确的路径。
- SSH 服务配置不正确
如果以上方法都无法解决问题,可能是由于 SSH 服务配置不正确导致的。请检查 SSH 服务的配置文件,特别是关于身份验证和密钥认证的部分,以确保已经允许使用公钥进行身份验证。
ssh-copy-id 命令可以将本地计算机上的公钥文件复制到远程服务器的 authorized_keys 文件中,以实现 SSH 免密登录。如果您想指定要复制的公钥文件,可以使用 -i 选项指定私钥文件的路径。
例如,假设您的公钥文件名为 id_rsa.pub,存储在 /home/user/.ssh 目录下,您想将该公钥文件添加到远程服务器的 authorized_keys 文件中,并且服务器的 IP 地址为 192.168.1.100,则可以执行以下命令:
复制代码
ssh-copy-id -i /home/user/.ssh/id_rsa.pub user@192.168.1.100
其中 -i 选项指定了要复制的公钥文件的路径,user 是远程服务器的用户名,192.168.1.100 是远程服务器的 IP 地址。
请注意,在使用 -i 选项时,应该指定公钥文件而不是私钥文件。
要在ssh config中为Host别名指定私钥文件路径,可以使用以下语法:
Host 别名
IdentityFile /path/to/private/keyHost 别名
IdentityFile /path/to/private/key其中,“别名”是你为主机配置的自定义名称,“/path/to/private/key”是你私钥文件的路径。
请确保在IdentityFile后面指定正确的密钥文件路径,并将其替换为您实际使用的路径。