Passwordless login: SSH keys
Passwords aren’t very safe. Instead of remembering multiple passwords for multiple servers (nowadays made easier with password managers), it is common practice to use so-called SSH keys to login to a remote server. This tutorial will show you how to set-up an SSH key pair so you can log in to any of our servers without the need of a pesky password!
A well-established method of authentication is via passwords. This, however, has been shown to be quite vulnerable, time and time again. An alternative solution to logging in to servers via SSH that offers lots of flexibility, is to use SSH keys.
SSH keys always exist in pairs: there is a private key and a public key. You will keep the private key while placing your public key in any servers you want to access. Just like you shouldn’t use one password for everything, you should use multiple private keys if you have access to a reasonable quantity of servers.
When logging in to a server, the SSH client on your computer requests the public key for the account you’re trying to log in to and checks to see if your private key is compatible with that one. This works because Math.
Generating a key pair
Open your terminal of choice
Paste in the following command with an email of your choice
ssh-keygen -t ed25519 -C "email@example.com"
This creates an SSH key pair, using your email as a label. You should wee the following output
Generating public/private ed25519 key pair.
When you’re prompted to “Enter a file in which to save the key,” press Enter. This accepts the default file location, which is in the
.sshdirectory in your home directory.
Optionally enter a password when prompted.
Adding your keys to
You can use
ssh-agent to securely save your passphrase so you don’t have to reenter it. You can find further guidance on this here.
Adding your key to the server
You now need to add your public key to one of our servers. Since all of our user-facing server share file systems, you only need to do this once.
A handy utility exists for this:
ssh-copy-id -i ~/.ssh/mykey firstname.lastname@example.org
More useful information on that here.
If that doesn’t work, you can always upload your public key to the server as you would a normal file. Your public keys should go in the
~/.ssh/authorized_keys file, separated by line breaks (press “enter”).
Make sure you upload your public key, not your private key. To check, you can always open the file in question and if it contains something like the following then you know it’s the private key.
-----BEGIN PRIVATE KEY----- BASE64 ENCODED DATA -----END PRIVATE KEY-----
With your SSH keys in place, you should now be able to
ssh email@example.com without being prompted for your password!
You can even make this process simpler by setting up an SSH configuration file, to, for example, be able to type
ssh srcf-webserver and log into the web server!
If you have any suggestions for how we could improve this documentation
please send us an email at
firstname.lastname@example.org or submit a Pull Request
Last modified on Monday Feb 28, 2022 by Richard Allitt