How to configure your SSH client for passwordless secure connection

1

This is a small guide to configure SSH client for public key authentication.

After following this guide you will be able to securely connect to your server without having to enter a password.

Steps

  1. Create an SSH key

  2. Copy the SSH public key to the server

  3. Configure the client

  4. Connect!

  5. Setting up SSH Agent

Create an SSH key

Public key authentication uses cryptographic key pairs to create a secure exchange of credentials between the client and the server. First, we need to create a key pair using the ssh-keygen command. You will be asked to enter a passphrase: a passphrase is like a password, but it’s supposed to be longer and more secure. A good way to create a passphrase is illustrated by an XKCD comics, from which this passphrase generator was made.

For example (do not reuse this!) we can use: SEAT-MIRROR-merely-MOVE


ssh-keygen -t ed25519

It will create two files:

  • ~/.ssh/id_ed25519 (the private key)

  • ~/.ssh/id_ed25519.pub (the public key)

Copy the SSH public key to the server

The command ssh-copy-id is used to copy the public key to the server. It will create on the server the file ~/.ssh/authorized_keys with your public key. The command ensures the path is created with the right permissions and the file contains the public key.

The command goes as follow, ssh-copy-id -i source file destination address (the address of your server)


ssh-copy-id -i ~/.ssh/id_ed25519 user@192.168.0.XXX

You will be asked for the user’s password. Next time you login, you can use the key…

Configure the client

Now, in order to avoid having to pass options on the command line, we can use a configuration file that will contain all options we want, and end up typing ssh myold.computer to connect to the server. For this you need to create on the client (the computer you are using to connect to the server), a specific configuration file

The configuration file is located at ~/.ssh/config

Let’s edit this file and put:


Host myold.computer
  HostName myold.computer
  User how
  IdentityFile ~/.ssh/id_ed25519
  Port 45535
  LogLevel INFO
  ProxyCommand none

Let’s break it down:

  1. The first line defines the hostname. If you name it foo, you can run ssh foo to activate this configuration options

  2. The second line defines the actual DNS hostname or specific IP address by which the host is known on the internet (or on the local area network).

  3. The third line defines your username (mine is how, you should change this to your own login).

  4. The IdentityFile line defines the path where the private key is located. Here the tilde (~) means the path to your $HOME folder.

  5. The Port line defines the SSH port on the server, by default 22.

  6. LogLevel INFO will give just enough information to know the connection is working or not. You may want to try DEBUG to see what is exactly happening between the client and the server, talking back and forth.

  7. ProxyCommand none tells SSH to ignore any configured proxy (a service that routes the connection through specific machines on your behalf) and directly connect from your IP address to the server’s IP address. In our case it’s fine, but if you want to hide your IP address from the server you might want to read the SSH manual (by running: man ssh) to learn more about this command. Usually you can ignore it.

Connect!

Here, ~/.ssh/config is ready, you can run ssh myold.computer and it will use this configuration.

The ssh command will ask you for a passphrase: this is not your regular user password, but the passphrase we generated in the first step, assigned to the SSH key itself.

Now, typing a passphrase instead of a password at each connectoin is not very practical. Fortunately we can use the SSH Agent to keep the passphrase for us and connect without having to type the passphrase each time.

Setup SSH Agent

The ssh-agent command is a program that securely holds credentials for you, enabling you to send SSH commands (including scp to copy files and sftp for multiple file transfer, and other commands that may be used across the secure shell). We need one SSH Agent running on our behalf. Usually we start it with our windowing system (the desktop environment).


eval $(ssh-agent -s)

Will set, e.g.,:


SSH_AUTH_SOCK=/tmp/ssh-XXXXXXamIDfb/agent.2634; export SSH_AUTH_SOCK;

SSH_AGENT_PID=2635; export SSH_AGENT_PID;

echo Agent pid 2635;

Once the agent is started we can add keys to it using the ssh-add command:


ssh-add ~/.ssh/id_ed25519

Enter the key’s passphrase, and you’re done. Now you can type: ssh myold.computer and bam! here comes the remote shell.

Starting desktop session with ssh-agent

YMMV depending on your desktop. I start mine with exec startx, so I can use the ~/.xinitrc file to start my desktop configuration. Here is the last line of this file on my computer:

exec dbus-launch --sh-syntax --exit-with-session ssh-agent awesome

It tells X11 to start the awesome tiling window manager executed in the context of the ssh-agent so that every program launched from the desktop can benefit from it. E.g., if you open a terminal, and have keys into your agent, you can use them without a password.

1 Like