The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

26.5.4 Enabling Remote System Access Without Requiring a Password

To be able to use the OpenSSH utilities to access a remote system without supplying a password each time that you connect:

  1. Use ssh-keygen to generate a public and private key pair, for example: 

    $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): <Enter>
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase): <Enter>
Enter same passphrase again: <Enter>
...

    Press Enter each time that the command prompts you to enter a passphrase.

  2. Use the ssh-copy-id script to append the public key in the local ~/.ssh/id_rsa.pub file to the ~/.ssh/authorized_keys file on the remote system, for example: 

    $ ssh-copy-id remote_user@host
remote_user@host's password: remote_password
Now try logging into the machine, with "ssh 'remote_user@host'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

    When prompted, enter your password for the remote system.

    The script also changes the permissions of ~/.ssh and ~/.ssh/authorized_keys on the remote system to disallow access by your group.

    You can now use the OpenSSH utilities to access the remote system without supplying a password. As the script suggests, you should use ssh to log into the remote system to verify that the ~/.ssh/authorized_keys file contains only the keys for the systems from which you expect to connect. For example: 

    $ ssh remote_user@host
Last login: Thu Jun 13 08:33:58 2013 from local_host
host$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s/ER
... FF488hBOk2ebpo38fHPPK1/rsOEKX9Kp9QWH+IfASI8q09xQ== local_user@local_host
host$ logout
Connection to host closed.
$

  3. Verify that the permissions on the remote ~/.ssh directory and ~/.ssh/authorized_keys file allow access only by you: 

    $ ssh remote_user@host ls -al .ssh
total 4
drwx------+ 2 remote_user group   5 Jun 12 08:33 .
drwxr-xr-x+ 3 remote_user group   9 Jun 12 08:32 ..
-rw-------+ 1 remote_user group 397 Jun 12 08:33 authorized_keys
$ ssh remote_user@host getfacl .ssh
# file: .ssh
# owner: remote_user
# group: group
user::rwx
group::---
mask::rwx
other::---

$ ssh remote_user@host getfacl .ssh/authorized_keys
# file: .ssh/authorized_keys
# owner: remote_user
# group: group
user::rw-
group::---
mask::rwx
other::---

    If necessary, correct the permissions: 

    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh'
$ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh/authorized_keys'
    Note

    If your user names are the same on the client and the server systems, you do not need to specify your remote user name and the @ symbol.

  4. If your user names are different on the client and the server systems, create a ~/.ssh/config file with permissions 600 on the remote system that defines your local user name, for example: 

    $ ssh remote_user@host echo -e "Host *\\\nUser local_user" '>>' .ssh/config
$ ssh remote_user@host cat .ssh/config
Host *
User local_user
$ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh/config'

    You should now be able to access the remote system without needing to specify your remote user name, for example: 

    $ ssh host ls -l .ssh/config
-rw-------+ 1 remote_user group 37 Jun 12 08:34 .ssh/config
$ ssh host getfacl .ssh/config
# file: .ssh/config
# owner: remote_user
# group: group
user::rw-
group::---
mask::rwx
other::---

For more information, see the ssh-copy-id(1), ssh-keygen(1), and ssh_config(5) manual pages.

Copyright © 2013, 2021, Oracle and/or its affiliates. Legal Notices