SSH Passwordless Authentication Guide
This guide will walk you through the process of setting up SSH key-based authentication to connect to your Ubuntu server without needing to enter a password each time.
Table of Contents
- Benefits of SSH Key Authentication
- Step 1: Generate SSH Keys on Your Client Machine
- Step 2: Transfer Your Public Key to the Server
- Step 3: Configure SSH on the Server
- Step 4: Connect Without Password
- Step 5: Additional Security Enhancements
- Troubleshooting
Benefits of SSH Key Authentication
- More secure than password-based authentication
- No need to remember or enter passwords
- Protection against brute force attacks
- Ability to revoke specific keys without changing server passwords
- Can be used with SSH agents for convenience
Step 1: Generate SSH Keys on Your Client Machine
First, you need to generate an SSH key pair on your local machine (the computer you’ll be connecting from).
For Linux/macOS:
# Create .ssh directory if it doesn't exist
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Generate a new 4096-bit RSA key pair
ssh-keygen -t rsa -b 4096 -C "[email protected]"
When prompted:
- Enter a file path to save the key (or press Enter to use the default location:
~/.ssh/id_rsa) - Enter a secure passphrase (optional but recommended for extra security)
For Windows (using PowerShell or Git Bash):
# Using PowerShell
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# Default location will be C:\Users\YourUsername\.ssh\id_rsa
Using Ed25519 (More Secure Alternative) use it from local
For enhanced security, you can use Ed25519 keys instead of RSA:
ssh-keygen -t ed25519 -C "[email protected]"
Step 2: Transfer Your Public Key to the Server
You need to add your public key to the server’s authorized keys file.
Method 1: Using ssh-copy-id (Linux/macOS)
ssh-copy-id -i /path/to/your/custom_key.pub username@server_ip_address
This will prompt for your server password one last time, and then set up the key authentication.
Method 2: Manual Copy (All Platforms)
If ssh-copy-id is not available (e.g., on Windows), you can manually copy the key:
# On Linux/macOS - display your public key
cat ~/.ssh/id_rsa.pub
# On Windows PowerShell
type $env:USERPROFILE\.ssh\id_rsa.pub
# Or if you used Ed25519
cat ~/.ssh/id_ed25519.pub
- Copy the output (the entire string starting with
ssh-rsaorssh-ed25519) - Log in to your server with your password
- Create or edit the authorized_keys file:
# On the server
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Add your public key to the file
echo "YOUR_COPIED_PUBLIC_KEY" >> ~/.ssh/authorized_keys
Method 3: Using SCP (All Platforms)
# For RSA keys
scp ~/.ssh/id_rsa.pub username@server_ip_address:~/temp_key.pub
# Or for Ed25519 keys
scp ~/.ssh/id_ed25519.pub username@server_ip_address:~/temp_key.pub
# Then on the server:
mkdir -p ~/.ssh
cat ~/temp_key.pub >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
rm ~/temp_key.pub
Step 3: Configure SSH on the Server
For better security, modify the SSH server configuration:
sudo nano /etc/ssh/sshd_config
Make the following changes:
# Enable public key authentication
PubkeyAuthentication yes
# Disable password authentication (only do this AFTER confirming key auth works)
PasswordAuthentication no
# Disable root login
PermitRootLogin no
# Only allow specific users if needed
AllowUsers username1 username2
# Specify which key types are allowed
PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa
# Only use strong ciphers and MACs
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
Make sure disable PasswordAuthentication on 50-cloud-init.conf
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
Make the following changes:
PasswordAuthentication no
Save the file and restart the SSH service:
sudo systemctl restart sshd
IMPORTANT: Before logging out, test your key-based login in a new terminal to make sure it works.
Step 4: Connect Without Password
From your client machine, connect to the server:
# Basic connection
ssh username@server_ip_address
# If you used a custom key location
ssh -i ~/.ssh/your_key_name username@server_ip_address
# Specify a non-standard port if needed
ssh -p 2222 username@server_ip_address
Step 5: Additional Security Enhancements
Using SSH Config File
Create or edit ~/.ssh/config on your client machine:
nano ~/.ssh/config
Add your server details:
Host myserver
HostName server_ip_address
User username
Port 22
IdentityFile ~/.ssh/id_rsa
ServerAliveInterval 60
ServerAliveCountMax 120
Now you can connect simply by typing:
ssh myserver
Using SSH Agent
SSH agent remembers your passphrase, so you don’t have to type it every time:
# Start the SSH agent
eval "$(ssh-agent -s)"
# Add your private key
ssh-add ~/.ssh/id_rsa
# For Ed25519 keys
ssh-add ~/.ssh/id_ed25519
For Windows Users (SSH Agent in PowerShell)
# Start the service if not running
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent
# Add your key
ssh-add $env:USERPROFILE\.ssh\id_rsa
Troubleshooting
Permission Issues
SSH requires specific permissions on files:
# On your client
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
# On your server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Connection Issues
If you’re unable to connect, check the server logs:
sudo tail -f /var/log/auth.log
Remote Server Identification Changed
If you get a “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!” message:
# Remove the old key
ssh-keygen -R server_ip_address
Debug Connection Issues
Use verbose mode to see what’s happening:
ssh -vvv username@server_ip_address
Common Errors and Solutions
-
Permission denied (publickey): Check file permissions and ensure the correct public key is in
authorized_keys. -
Connection refused: Make sure SSH server is running and port is open.
-
No matching host key type found: Update your SSH client or specify key type:
ssh -o HostKeyAlgorithms=+ssh-rsa username@server_ip_address -
Host key verification failed: Remove old key with
ssh-keygen -R server_ip_address. -
Bad owner or permissions: Fix permissions as shown in the Permission Issues section.
Security Reminder
When setting up passwordless SSH:
- Always keep your private key secure and never share it
- Use a strong passphrase to protect your key
- Consider using hardware security keys for enhanced protection
- Regularly audit authorized_keys on your servers
- Use fail2ban to protect against brute force attempts
- Consider setting up 2FA for critical servers