25.5.4 Enabling Remote System Access Without Requiring a Password

To be able to use the OpenSSH utilities to access a remote system without supplying a password each time that you connect:

  1. Use ssh-keygen to generate a public and private key pair, for example:

    $ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_rsa): <Enter>
    Created directory '/home/user/.ssh'.
    Enter passphrase (empty for no passphrase): <Enter>
    Enter same passphrase again: <Enter>
    ...

    Press Enter each time that the command prompts you to enter a passphrase.

  2. Use the ssh-copy-id script to append the public key in the local ~/.ssh/id_rsa.pub file to the ~/.ssh/authorized_keys file on the remote system, for example:

    $ ssh-copy-id remote_user@host
    remote_user@host's password: remote_password
    Now try logging into the machine, with "ssh 'remote_user@host'", and check in:
    
      .ssh/authorized_keys
    
    to make sure we haven't added extra keys that you weren't expecting.

    When prompted, enter your password for the remote system.

    The script also changes the permissions of ~/.ssh and ~/.ssh/authorized_keys on the remote system to disallow access by your group.

    You can now use the OpenSSH utilities to access the remote system without supplying a password. As the script suggests, you should use ssh to log into the remote system to verify that the ~/.ssh/authorized_keys file contains only the keys for the systems from which you expect to connect. For example:

    $ ssh remote_user@host
    Last login: Thu Jun 13 08:33:58 2013 from local_host
    host$ cat .ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s/ER
    ... FF488hBOk2ebpo38fHPPK1/rsOEKX9Kp9QWH+IfASI8q09xQ== local_user@local_host
    host$ logout
    Connection to host closed.
    $
  3. Verify that the permissions on the remote ~/.ssh directory and ~/.ssh/authorized_keys file allow access only by you:

    $ ssh remote_user@host ls -al .ssh
    total 4
    drwx------+ 2 remote_user group   5 Jun 12 08:33 .
    drwxr-xr-x+ 3 remote_user group   9 Jun 12 08:32 ..
    -rw-------+ 1 remote_user group 397 Jun 12 08:33 authorized_keys
    $ ssh remote_user@host getfacl .ssh
    # file: .ssh
    # owner: remote_user
    # group: group
    user::rwx
    group::---
    mask::rwx
    other::---
    
    $ ssh remote_user@host getfacl .ssh/authorized_keys
    # file: .ssh/authorized_keys
    # owner: remote_user
    # group: group
    user::rw-
    group::---
    mask::rwx
    other::---

    If necessary, correct the permissions:

    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh'
    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh/authorized_keys'
    Note

    If your user names are the same on the client and the server systems, you do not need to specify your remote user name and the @ symbol.

  4. If your user names are different on the client and the server systems, create a ~/.ssh/config file with permissions 600 on the remote system that defines your local user name, for example:

    $ ssh remote_user@host echo -e "Host *\\\nUser local_user" '>>' .ssh/config
    $ ssh remote_user@host cat .ssh/config
    Host *
    User local_user
    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh/config'

    You should now be able to access the remote system without needing to specify your remote user name, for example:

    $ ssh host ls -l .ssh/config
    -rw-------+ 1 remote_user group 37 Jun 12 08:34 .ssh/config
    $ ssh host getfacl .ssh/config
    # file: .ssh/config
    # owner: remote_user
    # group: group
    user::rw-
    group::---
    mask::rwx
    other::---

For more information, see the ssh-copy-id(1), ssh-keygen(1), and ssh_config(5) manual pages.