Using ssh public/private key pair on a linux server.
On client using ssh-keygen to generate key pair.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): # Enter password here Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. # private key Your public key has been saved in /root/.ssh/id_rsa.pub. # public key The key fingerprint is: SHA256:9jxV3HxvXM8GGXUUenYVO+Ckooy6r24WrKEVM1eH9G8 root@ThinkPad The key's randomart image is: +---[RSA 2048]----+ | ... o.=B| | o.. +.o=+| | . ... . o==*| | + . o ... .o+B| | .= . oS E . B| | ..o. . + . o | |..o.. + | |.. o. . | | ++o. | +----[SHA256]-----+
Now copy public key to server with ssh-copy-id command.
~$ ssh-copy-id -i .ssh/id_rsa.pub email@example.com /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys firstname.lastname@example.org's password: Permission denied, please try again. email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
On server, edit /etc/ssh/sshd_config, make sure the following configuration are turned on.
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys
Now try to login to server with ssh, it still ask for “passphrase”
$ ssh 'email@example.com' Enter passphrase for key '/root/.ssh/id_rsa':
We can using ssh-agent to avoid this:
$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-QLSbu5wlnvN6/agent.6888; export SSH_AUTH_SOCK; SSH_AGENT_PID=6889; export SSH_AGENT_PID; echo Agent pid 6889;
We need manully export above environment variables, this can be avoid by ‘eval’ command
# stop privous ssh-agent $ ssh-agent -k # restart with eval $ eval `ssh-agent` Agent pid 6892
Now add private key to ssh-agent, Then can login to server without password.
$ ssh-add .ssh/id_rsa Enter passphrase for .ssh/id_rsa: Identity added: .ssh/id_rsa (.ssh/id_rsa) $ ssh firstname.lastname@example.org
At the end, remember exit ssh-agent.
$ ssh-agent -k unset SSH_AUTH_SOCK; unset SSH_AGENT_PID; echo Agent pid 6465 killed;