How to Enable Passwordless SSH Logins on Linux

Ssh Passwordless Linux 00 Featured Image

It’s an excellent idea to sign in to your SSH server without a password. Seriously, get rid of it. There’s no need to use a password on one of the most attacked services on Linux servers, right? Securing an SSH server using standard password-based authentication is a bad idea. Attackers can easily brute force passwords, and when they’re the only thing standing between a bad actor and your server, you should definitely be nervous.

That’s why RSA key-based authentication is much better. You can configure and secure your Linux server to only allow access from computers that hold the RSA keys that have already been accepted. Anyone else will be rejected immediately. As an added benefit, you can create those keys with or without a password, which is entirely up to you. A strong key without a password is fine in most cases, though.

If you use Linux devices at home, too, you have the added benefit of convenience. Say you want to set up SSH X-forwarding from your Linux workstation to your laptop. Do you really want to enter your password every time you run a remote program? Set up SSH keys, and you won’t need to.

Install the Packages

There are a couple of packages that you need. You probably already have some of them, but it’s a good idea to check. The packages are the same on both the server and client. However, there’s also a good chance that both machines are servers and clients to each other (home situation), so you may want to make sure that you have installed these packages.

The OpenSSH metapackage is not installed by default on either Debian or Ubuntu systems. If you don’t already have it installed, you can do so by running the following command:

sudo apt install ssh
Ssh Passwordless Linux 02 Installing Openssh

Generate Your SSH Key in Linux

It’s really easy to generate your SSH key in Linux. Just tell OpenSSH that you need to generate the key. It’s also a good idea to specify the amount of bits with the -b flag and the type with -t. A 4096 bit key is best, as it provides stronger encryption.

ssh-keygen -t ed25519

First, the utility will ask where you want to store the key. Just hit Enter for the default directory. When it asks for a password, leave it blank for a passwordless key and passwordless authentication. If you do want to use a password for your key, enter it here.

Your computer will take a couple of seconds to generate your key. When it’s over, it will print out an ASCII art representation of your key on the terminal.

Sending Your Key to the Remote Linux Host

To use your key, you’ll need to send it to your remote server. OpenSSH has another built-in utility for that, too. Tell it where your key is and which user on the server to associate it with.

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@ip_remote_host

Replace ip_remote_host with the actual IP address of the remote host, which you will manage via SSH. Replace username with the actual username on the remote host.

Ssh Passwordless Linux 04 Ssh Copy Id

It’s crucial that you use the -i option to specify the identity file that contains your public key. If you try to use your SSH key without this option, you may get an error.

Ssh Passwordless Linux 05 Successful Copy

Testing Your SSH Connection in Linux

With your SSH key in the remote server, you can now test whether your connection properly works.

Log in with the following command:

ssh username@ip_remote_host

The remote host will log you in without asking for the user account password.

Ssh Passwordless Linux 06 Passwordless Login

However, if you made a mistake during the process, the SSH daemon will automatically fall back to password authentication for your user account. This allows you to still access your remote server even if you have a non-functioning RSA key.

Ssh Passwordless Linux 07 Failed Login

Configuring SSH to Block Passwords

For the best security, you need to disable SSH password logins on your Linux server. Similar to enabling two-factor authentication in SSH, this prevents anyone from brute-forcing their way into your server.

Ssh Passwordless Linux 08 Two Factor Sample

It is important to make sure that you can reliably log in with your SSH key before doing this, as it is possible to lock yourself out of your remote server if you have a malfunctioning key.

You can find the configuration file for your SSH daemon in “/etc/ssh/sshd_config.” Open the file on the server using sudo and your preferred text editor. For example, open this file using nano by running the following command:

sudo nano /etc/ssh/sshd_config

Find the lines below by pressing Ctrl + W and edit them to look like the example. Uncomment both entries and change the values to no.

PasswordAuthentication no
PermitEmptyPasswords no
Ssh Passwordless Linux 09 Find Option Nano

PasswordAuthentication specifies whether to use password authentication. We set this to “no” because we want to use SSH keys only.

PermitEmptyPasswords specifies whether the server allows login with an empty password. You should never allow this, so we set it to “no.”

Ssh Passwordless Linux 10 Update Sshd Settings

Next, find the “UsePAM” line and change it to “no.” This will prevent the daemon from using any authentication methods (password, Kerberos, etc.) other than SSH keys.

UsePAM no
Ssh Passwordless Linux 11 Disable Pam Support

Save the file by pressing Ctrl + O, then Ctrl + X and reload the SSH server.

sudo systemctl restart ssh

Now that you have successfully configured your server to use only SSH keys for authentication, anyone trying to log in without a valid RSA key will be immediately denied.

Ssh Passwordless Linux 12 No Key Login

Frequently Asked Questions

I am getting a "Connection refused" when I send my SSH key to my Linux server. How do I fix this?

Make sure that the SSH server is running on the remote host. You can check this by running sudo systemctl status ssh. If the service is not running, you can start it with this command: sudo systemctl start ssh.

If a firewall is running on the server, make sure that port 22 is open. You can do this by running sudo ufw status. If SSH isn’t listed, you can enable it by running this command: sudo ufw allow ssh.

I get a "Permission denied (publickey)" error when I try to log in. What should I do?

This error means that you have configured your server to use keys for authentication, but you’re still trying to log in with a password. This can either be due to a missing RSA key or an incorrect SSH setting. Check that you’ve copied your public key to the server correctly and that you’re specifying the correct public key when you connect.

I get a "Host key verification failed" error when I try to connect. How do I fix this?

This error means that the SSH server’s host key has changed. It can happen if the server has been reinstalled. You can regenerate a new public key and copy it over to the remote host. Repeat the steps in this article to regenerate and add the new key to the server.

Is it possible to use multiple SSH keys on the same remote Linux server?

Yes. You can use the -f option in OpenSSH to specify the exact key you want to use to connect to a remote server. For example, running ssh -f ~/.ssh/id_rsa_2 username@remote_ip_address will connect you to your remote server using the “id_rsa_2” key instead of the default “id_rsa.”

However, it is important to note that this command will only work if your remote server already recognizes your new key. You need to first copy it to your remote server using ssh-copy-id. Similar to the steps above, you can do this either through password or RSA key authentication.

I am getting a "Permission Denied" error whenever I try to copy my SSH key to my server.

This issue is most likely due to a permissions problem in your remote server. In most cases, the ssh-copy-id utility should properly resolve any access issues as soon as it connects to your remote server. However, there are instances where this feature breaks and fails to properly copy your local machine’s “id_rsa.”

To fix this, log in to your remote server and run chmod 700 /home/$USER/.ssh/* && chmod 600 /home/$USER/.ssh. This will set the correct permission bits for both the “.ssh” folder and its contents.

Image credit: Unsplash. All alterations and screenshots by Ramces Red.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ramces Red
Ramces Red - Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.