Categories: BasicsFeaturedSecurityTips

ssh Without Password in Few Simple Steps

How to configure passwordless ssh &sftp access in Unix & Linux systems? Follow these simple steps with examples with a basic troubleshooting section at the end. sftp uses underlaying ssh access for authentication and after you establish passwordless ssh access you will have passwordless sftp access as well.

This a real life example of configuring passwordless access for two users . The user ‘web’ in this case needs a secure password less access to another user james in a server ‘devserver’

How to do ssh without password & sftp without password

Follow the Steps to configure secure passwordless access 

To begin, Lets check the current ssh & sftp connectivity status for james@devserver from localhost

[web@localhost ~]$ ssh james@devserver
james@devserver’s password: 
[web@localhost ~]$ sftp james@devserver
james@devserver’s password: 

As expected it prompted for password

1. Generate the public key private key pair 

Generate the public key private key pair for the local host as following, Press enter for default file names and no
pass phrase options. The command here generates RSA type keys.
You can run the command ssh-keygen from any directory but the id files will be generated in .ssh dir of user’s home directory.

[web@localhost ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/web/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/web/.ssh/id_rsa.
Your public key has been saved in /home/web/.ssh/id_rsa.pub.
The key fingerprint is:
5e:30:d3:1a:00:c5:0b:29:96:ac:3e:42:20:dc:af:38 web@localhost.localdomain

2. Change directory to .ssh directory of user .

You will see two files starting with id_rsa. id_rsa is the private key and id_rsa.pub is public key. Check the date time stamp of these files to make sure these are the ones you generated recently.

[web@localhost ~]$ cd /home/web/.ssh

.ssh[web@localhost .ssh]$ ls -la
total 32
drwx—— 2 web web 4096 Dec 7 22:05 .
drwx—— 34 web web 12288 Dec 7 22:04 ..
-rw——- 1 web web 1675 Dec 7 22:05 id_rsa
-rw-r–r– 1 web web 407 Dec 7 22:05 id_rsa.pub
-rw-r–r– 1 web web 391 Dec 7 22:03 known_hosts

Check the date to be sure of current generated files.

3. Copy the rsa public key to the remote host

Copy the public key file from above example to .ssh of the user home directory and if .ssh directory is not there , create it as in the example below. You need to enter sftp/ssh  password as passwordless access is not setup yet..

/.ssh[web@localhost .ssh]$ sftp james@devserver
Connecting to devserver…
james@devserver’s password:
sftp> pwd
Remote working directory: /home/james
sftp> cd .ssh
Couldn’t canonicalise: No such file or directory
sftp> mkdir .ssh
sftp> cd .ssh
sftp> put id_rsa.pub
Uploading id_rsa.pub to /home/james/.ssh/id_rsa.pub
id_rsa.pub 0% 0 0.0KB/s –:– ETAid_rsa.pub 100% 407 0.4KB/s 00:00

4. login to the remote host  with password

Once file is copied over , login to the remote host using ssh and password and go to .ssh directory under user home directory.

/.ssh[web@localhost .ssh]$ ssh james@devserver
james@devserver’s password:

james@devserver:~[james@devserver ~]$ cd .ssh
james@devserver:~/.ssh[james@devserver .ssh]$ pwd

james@devserver:~/.ssh[james@devserver .ssh]$ ls -l
total 4
-rw-r–r– 1 james james 407 Dec 7 22:06 id_rsa.pub

5. Rename the public key file, id_rsa.pub, to authorized_keys ;

Rename or append to file corresponding to the ssh protocol version in your system , User ssh -V to find out the ssh version

SSH protocols 1.3 and 1.5 uses file name as authorized_keys
SSH protocol 2.0 uses file name as authorized_keys2

if the authorized_keys file already exists then append the new keys to the existing file using,

cat id_rsa.pub >> authorized_keys .
Don’t use vi or editor to open , append and save these key files as any extra character/newline would corrupt these files.

james@devserver:~/.ssh[james@devserver .ssh]$ mv id_rsa.pub authorized_keys

You can see the contents using cat command
james@devserver:~/.ssh[james@devserver .ssh]$ cat authorized_keys
V00ZW9Fvgz865g+fakBITqYP76ptPIVXEps+91ABRSwggQ== web@localhost.localdomain

6. Change the key file and directory permissions 

ssh is very sensitive to permissions so you have to change the key file and directory permissions exactly as required for it to work.

6a. Change authorized_keys to 600 permissions

james@devserver:~/.ssh[james@devserver .ssh]$ chmod 600 authorized_keys
james@devserver:~/.ssh[james@devserver .ssh]$ ls -ltr
total 8
-rw-r–r– 1 james james 407 Dec 7 22:06 id_rsa.pub
-rw——- 1 james james 407 Dec 7 22:08 authorized_keys

james@devserver:~/.ssh[james@devserver .ssh]$ cd ..

6b. Change .ssh directory to 700 permission

james@devserver:~[james@devserver ~]$ chmod 700 .ssh

6c. Verify permissions and log out . 

james@devserver:~[james@devserver ~]$ logout
Connection to localhost closed.

7.  Moment of truth : Try a ssh or sftp

/.ssh[web@localhost .ssh]$ ssh james@devserver
Last login: Tue Dec 7 22:07:04 2010 from localhost.localdomain
james@devserver:~[james@devserver ~]$ pwd
/.ssh[web@localhost .ssh]$ sftp james@devserver

8. Troubleshooting ssh/sftp access  

If you are still getting password prompt, The most common problems can be

  1. Incorrect permission for .ssh directory and authorized_keys / authorized_keys2 file
  2. Corrupt key file, regenerate and copy again.
  3. Space,character or line inserted or truncated during appending to existing file. Don’t copy keys manually but do a cat new_keys >> authorized_keys ; For new files copy the file and rename , don’t manually copy paste contents.
Hemant Sharma :

View Comments (19)