How To Create And Use SSH Keys To Login Without A Password

How To Create And Use SSH Keys To Login Without A Password
This post contains affiliate links, which means I earn money from purchases. This never affects the price that you pay but helps with costs to keep the site up and running.

How To Use SSH Keys for SSH Login Without A Password

As a Linux SysAdmin, I am logging in and out of servers all day long. This can be annoying if you need to enter your password each time. This article aims to show you how to do away with entering your password every time you SSH from your Raspberry Pi to another host/server.

This tutorial will work on a Raspberry Pi, any other flavor of Linux or MacOS. I used 2 of these Raspberry Pi 4 Model B in the examples.

SSH keys are used for password-less authentication from user to user when using the SSH protocol.

SSH keys consists of a public/private key pair.

You can think of a public/private key pair like this…

public key is a lock

private key is the key to that lock

Your lock can be deployed to as many gates as you want. It doesn’t really matter if people see it because they don’t have the key. All of your locks work with the same key. The key will get you into every gate that uses that lock.

The bad analogy above converted back to into nerd talk would sound like this…

Your public key can be deployed to as many hosts/servers as you want. It doesn’t really matter if people see it because they don’t have the private key. All of your public keys work with the same private key. The private key will get you into every host/server that uses that public key.

The important thing here is that the private key is your own and should not be shared. Anyone with the private key can now access users that have deployed the public key. Be careful.


Generating Your SSH Key

Make sure you are logged in as the user that you plan to use when SSHing to other hosts.

We are now going to use the ssh-keygen command as the pi user to generate our key.

Take a look at the code block below and then I’ll explain what it means.

pi@local_pi:~ $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa):
Created directory '/home/pi/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:8Hkgh19o0epfjwSdFYXKt9ZtZYXsOiO3B7pRqboSfv4 pi@local_pi
The key's randomart image is:
+---[RSA 2048]----+
|        ..   ..=.|
|       . o.   = .|
|      + =..o =  .|
|       B.+. =.o o|
|       .S ..oo +o|
|      . ...oO o +|
|     . . .o* O . |
|      o ..o.o o  |
|       ++oE. .   |
+----[SHA256]-----+
pi@local_pi:~ $

Now we will break the output apart so you understand…

Generating public/private rsa key pair.

After running the command, you are told that it is generating a new key pair

Enter file in which to save the key (/home/pi/.ssh/id_rsa):

You can choose where to save the key now but ssh-keygen is suggesting the default location of /home/pi/.ssh/id_rsa. Press enter to accept the default location.

Created directory '/home/pi/.ssh'.

This is a new install so we didn’t have a .ssh directory yet. ssh-keygen created it for us.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

We don’t want to enter a passphrase so we will press enter without typing anything for both of the passphrase prompts.

Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.

Informing you where you can find the private and public key you just created.

The key fingerprint is:
SHA256:8Hkgh19o0epfjwSdFYXKt9ZtZYXsOiO3B7pRqboSfv4 pi@local_pi
The key's randomart image is:
+---[RSA 2048]----+
|        ..   ..=.|
|       . o.   = .|
|      + =..o =  .|
|       B.+. =.o o|
|       .S ..oo +o|
|      . ...oO o +|
|     . . .o* O . |
|      o ..o.o o  |
|       ++oE. .   |
+----[SHA256]-----+

This is basically showing you how to uniquely identify your SSH key. It’s mostly safe to just ignore this.



How To Deploy An SSH Key

Now that you’ve created your SSH key, we should deploy it somewhere so you can see how it works.

For this I will be using 2 different hosts. local_pi and remote_pi.

local_pi is the host where I created the SSH key.

remote_pi is the host I am deploying the public key.

On local_pi

Run cat ~/.ssh/id_rsa.pub to copy the public key from your user’s home directory.

pi@local_pi:~ $ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0H7fzziuEKRdkBhCfiTvxGIUb8ROB5N1j1FGo/hCU8qx/qPthMIJxYK909HRLC/jgRlmkdsUCqnZYq3HXBgN7VIbw7bJJ8/i2qaUPIywzAXTGO1J2t9pVDzUQCG6Femau3+0aKnAJeKXXK5iIF88FU7VMsiw9wCIx7GlE25SI6MkTzpWJiYDDuYF0+M2tkCUD2OyjhgoET+xvECDnToIehTZAFYufQqevf8fdSnREG5X+NMbPKcRjvoLQO1KwpkcHaK6zQhQtJuAOINbjSmZ+ewDnvb7FPlKx0N/TjyqyD31Mliwyo36aGrXeY2wyMIfPXGWkkZ14r2DrnzeXsHCL pi@local_pi

On remote_pi

Now we need to deploy the public key from local_pi to the remote_pi. I’ll show you how it’s done and then explain.

pi@remote_pi:~ $ mkdir ~/.ssh
pi@remote_pi:~ $ touch ~/.ssh/authorized_keys
pi@remote_pi:~ $ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0H7fzziuEKRdkBhCfiTvxGIUb8ROB5N1j1FGo/hCU8qx/qPthMIJxYK909HRLC/jgRlmkdsUCqnZYq3HXBgN7VIbw7bJJ8/i2qaUPIywzAXTGO1J2t9pVDzUQCG6Femau3+0aKnAJeKXXK5iIF88FU7VMsiw9wCIx7GlE25SI6MkTzpWJiYDDuYF0+M2tkCUD2OyjhgoET+xvECDnToIehTZAFYufQqevf8fdSnREG5X+NMbPKcRjvoLQO1KwpkcHaK6zQhQtJuAOINbjSmZ+ewDnvb7FPlKx0N/TjyqyD31Mliwyo36aGrXeY2wyMIfPXGWkkZ14r2DrnzeXsHCL pi@local_pi' >> ~/.ssh/authorized_keys
pi@remote_pi:~ $

Explanation of what I just did…

mkdir ~/.ssh

This command created the .ssh/ directory in our user’s home directory.

touch ~/.ssh/authorized_keys

I used the touch command to create a new file named authorized_keys in our .ssh/ directory.

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0H7fzziuEKRdkBhCfiTvxGIUb8ROB5N1j1FGo/hCU8qx/qPthMIJxYK909HRLC/jgRlmkdsUCqnZYq3HXBgN7VIbw7bJJ8/i2qaUPIywzAXTGO1J2t9pVDzUQCG6Femau3+0aKnAJeKXXK5iIF88FU7VMsiw9wCIx7GlE25SI6MkTzpWJiYDDuYF0+M2tkCUD2OyjhgoET+xvECDnToIehTZAFYufQqevf8fdSnREG5X+NMbPKcRjvoLQO1KwpkcHaK6zQhQtJuAOINbjSmZ+ewDnvb7FPlKx0N/TjyqyD31Mliwyo36aGrXeY2wyMIfPXGWkkZ14r2DrnzeXsHCL pi@local_pi' >> ~/.ssh/authorized_keys

I used the echo command to output the public key that we copied from local_pi. The >> will append the output of the echo command to the ~/.ssh/authorized_keys file.

On local_pi

Now that our public key has been deployed to remote_pi we should be able to SSH to it from local_pi without typing a password.

pi@local_pi:~ $ ssh pi@192.168.1.157
Linux raspberrypi 4.19.75-v7l+ #1270 SMP Tue Sep 24 18:51:41 BST 2019 armv7l
####################################
#                                  #
#            Go Away!              #
#                                  #
####################################
pi@remote_pi:~ $

Deploying An SSH Key The Fast Way

I wanted you to learn what was happening under the hood first. So I withheld a secret from you about deploying the key.

There is another command called ssh-copy-id. It basically does all the deploy steps automatically. You still need to generate the SSH key.

ssh-copy-id <user>@<ip address>

Be sure to replace <user> with the remote username and <ip address> with the IP address of the remote host.

Check it out in action below.

pi@local_pi:~ $ ssh-copy-id pi@192.168.1.157
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
pi@192.168.1.157's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'pi@192.168.1.157'"
and check to make sure that only the key(s) you wanted were added.

pi@local_pi:~ $

All we had to do was type the password for the remote user on the remote host.

Pretty easy.


Conclusion

SSH keys are more convenient and safer than using passwords.

Keep your private key safe. You can (should) also change it once in a while in case it has been compromised.

Use caution when rotating an SSH key!

If you don’t have a user password or don’t allow password authentication via SSH, it’s very easy to lock yourself out.

To rotate a key, you would generate a new one using ssh-keygen and also remove the public key from all users that have it the authorized_keys file.

Verify the new keys are working before removing the old keys!

That’s about it! Shoot me a message on Twitter if you have any questions.

Be sure to subscribe at the bottom of the page to be notified when new posts become available.