SSH is a great technology; you can use it to hide VPN traffic with it, secure you connection to websites, and more. The only problem is each time you try to log into a remote machine, you have to enter your password and that can be tedious. If you’re a developer looking to connect to a lot of machines over SSH at once with a Bash script, or just someone who uses Secure Shell and is sick of entering passwords, there is a solution: passwordless SSH. This process involves generating a secure SSH key on the host machine, and sharing it as a way to access the PC. This will allow anyone with the key to log in, even if they don’t know the password. Here’s how to get it going.
What Are SSH Keys?
An SSH key is a unique identification file that is used with Secure Shell. The purpose of these keys is to provide a unique identity to the user, and mark them as “trusted” when logging in. These keys themselves are more than files that prove someones identity. In fact, SSH lets users log in with a key rather than a password. Meaning, instead of being forced to enter a password each time you log in over SSH, you use the SSH key.
The SSH key is placed somewhere securely on your Linux installation, and from there, you can log into the remote machine as much as you want without a password.
Generating Secure SSH Keys
Generating a secure SSH key first requires that SSH is up and running. Do understand that this doesn’t necessarily mean you need to have an SSH server. Just that the basic SSH tools, and technologies are running on your Linux PC. Not sure how to set up SSH? Follow our guide on it here.
Always generate the SSH keys on the system hosting the SSH server. Don’t try to generate them on the server not hosting an SSH session, and copy it over to the SSH host machine. It won’t work.
To start the key generation process, open up a terminal. Inside the terminal window, run:
ssh-keygen -t rsa
Running ssh-keygen will print “Generating public/private rsa key pair”. This means that the system is generating you both a public key as well as a private key to use. Public keys are ones anyone can use, and you should be fine giving out. A private key, on the other hand, is something you should never share with anyone. Hence the name “private”.
The keys will save themselves on /home/username/.ssh/id_rsa.
Note: DO NOT DELETE the ~/.ssh folder, as it contains your keys. If you tamper with this folder in any way, and then try to log into this machine remotely, the SSH prompt will fail. It will also print a warning and lock you out.
SSH Keys On Remote Machine
Now that the SSH keys (both public and private ones) are created and ready to use, you’ll need to copy them to the system you’re looking to log in from. It is important that you repeat this process on all the machines you plan to log in over SSH. Otherwise, ones that do not have the key will need to log in using the password method.
To add the keys to the remote system, follow this example. Do make sure you are doing this from the host machine over SSH.
ssh username@remote-host-name mkdir -p .ssh
Running this ssh command will create a hidden ~/.ssh folder on the remote machine’s home directory (with the user that was used to log in). This folder is important, as this is where we will copy the newly generated SSH key files.
To copy the SSH key-files over, run yet another command from the SSH host machine to the remote machine that needs the keys:
cat .ssh/id_rsa.pub | ssh username@remote-host-name 'cat >> .ssh/authorized_keys'
The copying will take a few seconds, depending on network speed. When it finishes, the remote PC will have the generated keys, and will be able to log into the SSH host PC without a password.
Backing Up SSH Keys
SSH keys are useful things, and each one is unique. It is because of this, backing them up is the best course of action. Trouble is, if you save it elsewhere someone may find your SSH key, keep it and use it for themselves. So the question is, what’s a good way to securely back up an SSH key? Encryption.
The fastest, most efficient (and easiest way) to encrypt is to use GnuPG. The tool itself is built into most of the encryption tools already on Linux, and is the go-to when encrypting files is brought up. To install GnuPG, open up a terminal and search your package manager for “gpg”. The program should be easy to find, even on very obscure Linux distributions.
Once GPG is up and running, start the encryption process by compressing your ~/.ssh directory into tar archive file. Doing this will make it so that there is no need to individually encrypt each and every single file in the ~/.ssh folder.
tar -czvf ssh-stuff.tar.gz /home/username/.ssh
When the compression finishes, start the encryption process.
Note: before encrypting, run gpg in the terminal to generate a new keyring.
gpg -c ssh-stuff.tar.gz
When the encryption process completes, GnuPG will out put a file with the label of “ssh-stuff.tar.gz.gpg“. Feel free to delete the original, unlocked version of the file. To decrypt your backup archive, do the following: