Fork me on GitHub

Using SSH without passwords

When you use SSH to log into a server, the server wants to make sure you really are who you claim to be: It needs to authenticate you. By convention, this is done using your password.

But entering your password every time you log into a remote server is annoying. This page will tell you how you avoid that - without making things insecure.

You will need to:

  • Generate an SSH key

  • Make the server(s) recognise the SSH key as yours

  • Set up your SSH Agent locally

The key works similar to a password, but with a twist. It has two parts:

  • A public key which you can freely publish
  • A private key which you must keep private at all times

The twist is: anything encrypted using the public key can only be decrypted using the private key. And anything encrypted using the private key can only be decrypted using the public key.

Generating an SSH Key

You generate a key using the ssh-keygen command. This will produce 2 files:

  • ~/.ssh/id_rsa : your private key. Keep this secret.
  • ~/.ssh/id_rsa.pub : Your public key

It is very important that you keep the private key private. So avoid storing the key on a shared computer: Typically, the key belongs on your laptop.

ssh-keygen will prompt you to set a password on the key: this is good practice (choose a nice long password !). This encrypts the private key so even if others get hold of the file, it will be useless without the password. Unfortunately that means that you will need that password whenever you use the key; but there are ways of making this less ardous - see "Setting Up Your SSH Agent" below.

Make Hosts Recognise Your SSH Key

To install your public key in the target host, use the ssh-copy-id command:

$ ssh-copy-id remote-server

From now on, when somebody presents the public key (and can prove they are in possession of the corresponding private key), they will be logged in. As long as you keep the private key private, this will only be you.

Setting Up Your SSH Agent

The SSH agent solves the problem of "having to enter the key password all the time". It does that by keeping an un-encrypted version of the private key in memory, while leaving the on-disk version encrypted. Things that need access to the private key will talk to the agent instead.

The end result is that you normally only need to enter the password for the SSH private key once: when you log into your laptop. Which might be once a day or once every 3 months (if you suspend your laptop rather than logging off/rebooting incessantly).

Most Linux desktop environments will automatically run an agent for you, so you only need to "add" the key to the agent. And you can normally configure the desktop environment to automatically unlock the key upon login to your laptop.

To see whether you already have a running agent:

pgrep ssh-agent

which will list the process ID(s) of agents. If the output is empty, then you do not have a running agent.

For the agent to keep the decrypted key in memory, you need to "add" the key:

ssh-add

which will ask for the key password. Once.

And from now on, your SSH sessions will be password-less.

Enjoy!