Secure Shell (SSH) Connections Without Passwords
When we’re connecting to remote servers it’s important to make sure our connection is secure but it can be annoying to have to type in our passwords over and over again. Thankfully we have a whole suite of tools that will help us access a remote terminal and move files securely.
In this article, we’ll discuss how to connect to our Unix-based servers using a Secure Shell connection without passwords.
What is the Secure Shell?
The Secure Shell, or SSH for short, is a network protocol that gives us a way to securely access a computer over an unsecured network. It uses a series of encryption protocols to make sure our traffic can’t be intercepted by a third party and viewed.
In the days before SSH was widely used we would have to use a protocol like Telnet or FTP which transmitted all our data without encryption. There’s absolutely no way we should be using them anymore and most systems won’t even allow us to install them.
For more information on encryption check out our article “What is Encryption and Decryption”.
SSH can also refer to a suite of command-line utilities that implement the SSH protocol to provide secure communications for various tasks. For example, the ssh command is used to provide a secure terminal and the scp command is used to securely copy a file from one computer to another.
SSH allows us to authenticate ourselves using a password or using a public/private key exchange. The password authentication will allow us to connect but we need to remember our unique password for each server (because we’re not reusing them right). The public/private key exchange option allows us to set a single password to lock our private key and then authenticate on systems that have our public key.
If the computer we’re using to connect to the remote computer is a Unix-based system like Linux or macOS there’s a really good chance that the SSH commands have already been installed by our system administrator. The newer version of Windows has them built-in as well but we can also use third-party tools like PuTTY or WinSCP. This article doesn’t go into how to use these tools as we have limited access to Windows computers.
Connecting to a Remote Host
Let’s go through a couple of examples of how to use the SSH commands.
For our first example let’s use the SSH command to connect from one Linux computer to another Linux computer. The basic syntax for this is ssh username@hostname in this example we’re going to use ssh scott@hostname.com. When we enter this into our terminal and hit enter we’ll receive a message like the following.
ssh scott@hostname.com
The authenticity of host ‘hostname.com (x.x.x.x)’ can’t be established. ECDSA key fingerprint is SHA256:+Ma7hkPyRvcVMp3PYQ7tcc+QcSdjA7xslbp22dkgdxU. Are you sure you want to continue connecting (yes/no/[fingerprint])?
This is letting us know that the public key that was presented to us from the remote computer isn’t known to our computer attempting to make the connection. This is generally okay because we’ve never connected to this remote computer before. If we’re concerned we can use the fingerprint to verify it’s correct but we’ll have to contact the administrator of the server. To continue we’ll need to enter “yes”.
After we do this we’ll receive a message that the fingerprint was added to the list of known hosts.
Warning: Permanently added ‘hostname.com’ (ECDSA) to the list of known hosts.
This adds an entry to the “known_hosts” file inside our “.ssh” directory in our home directory. This way the next time we connect to this computer it will know that we can “trust” this computer. If the key changes, we’ll receive a message informing us of the change. Key changes generally happen if the remote computer is upgraded or replaced but it can also be an indication that a man-in-the-middle attack is happening.
Then we just need to enter our password for the remote system and we’ll have access.
Now let’s copy a file to the remote system. This is done using the scp command and will look like the following scp source username@hostname:/path/to/file. As an example, if we needed to copy a file named passwords to our remote system’s home directory we type the following scp passwords scott@hostname.com:/home/scott/passwords, and then we’ll see the password prompt. After we’ve entered our password we’ll get a progress indicator telling us the progress of the file and we’re done.
Now Without Passwords
All of those password prompts were a little annoying and because we’re using complex passwords for our accounts it’s error-prone. To make our lives a little bit easier we’re going to set up our connection so we use public-key cryptography to authenticate ourselves.
The first step is to run ssh-keygen on our local computer. This will create a public key pair for us to use. It’s best to accept the defaults because everything will be looking for the files we need in the default locations. When prompted for a password we can just hit enter for no password or enter a password. We’ll be prompted for this password any time we attempt to use our private key so we recommend only setting a password if the private key will be stored on a shared computer and an extra layer of security is needed.
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/scott/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/scott/.ssh/id_rsa
Your public key has been saved in /home/scott/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:CfJ6CYadspkhQjRLx24x8l0qmZ0V4JIJ9xybkggn9kQ scott@ubuntu2004.localdomain
The key's randomart image is:
+---[RSA 3072]----+
|o*+E o... |
|=+X+B +o |
| ++BO** |
|. XoO . . |
|o = * . S |
|.. B o . |
| + . o |
| . |
| |
+----[SHA256]-----+
This process created two files.
The first is the private key which is stored in ~/.ssh/id_rsa. As it’s a private key, we need to do our best to make sure it stays private.
The second is the public key stored in ~/.ssh/id_rsa.pub. We can be a lot less concerned about this file but it’s still important to make sure we have a backup.
To get our public key onto the server we need to run ssh-copy-id with the username and host we want to copy the data to.
ssh-copy-id scott@hostname.com
When we do this we’ll get output similar to what’s onscreen/below. This output is telling us our public key was installed onto the remote server after we were prompted for our password.
$ ssh-copy-id scott@hostname.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/scott/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
scott@hostname.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'scott@hostname.com'"
and check to make sure that only the key(s) you wanted were added.
Now, whenever we log in to the server using ssh we won’t be prompted for the password. It will be the same for scp and any other command that uses the SSH protocol.
$ ssh scott@hostname.com
Last login: Wed Jan 12 01:33:59 2022 from x.x.x.x
Without ssh-copy-id
Most modern systems have the ssh-copy-id command installed but if we run into a situation where it’s not installed we can perform the same steps manually that it automates. To do this we just need to copy the contents of ~/.ssh/id_rsa.pub on our local computer and append it to the “~/.ssh/authorized_keys” file on the remote computer.
We could do this all manually or we could create a single line command to do it for us (which is what we’ll do).
cat ~/.ssh/id_rsa.pub | ssh scott@hostname.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Troubleshooting
It’s possible, if unlikely that a system administrator may have disabled public key cryptography so if it doesn’t work after we try this we can check the methods the SSH server supports by running the ssh command with the -v argument. This will give a dump of information about the connection but the line we’re looking for contains “Authentications that can continue”.
debug1: Authentications that can continue: publickey,password
If “publickey” is in that line then it’s supported.
What You Need To Know
- SSH protocol allows us to make secure connections
- The SSH command allows us to use a remote terminal
- SCP copies a file
- We can use public-key cryptography to make our lives a little easier.
Scott Keck-Warren
Scott is the Director of Technology at WeCare Connect where he strives to provide solutions for his customers needs. He's the father of two and can be found most weekends working on projects around the house with his loving partner.
Top Posts
- Working With Soft Deletes in Laravel (By Example)
- Fixing CMake was unable to find a build program corresponding to "Unix Makefiles"
- Upgrading to Laravel 8.x
- Get The Count of the Number of Users in an AD Group
- Multiple Vagrant VMs in One Vagrantfile
- Fixing the "this is larger than GitHub's recommended maximum file size of 50.00 MB" error
- Changing the Directory Vagrant Stores the VMs In
- Accepting Android SDK Licenses From The OSX Command Line
- Fixing the 'Target class [config] does not exist' Error
- Using Rectangle to Manage MacOS Windows