≡ Menu

Perform SSH and SCP Without Entering Password on openSSH

OpenSSH

In this article, I’ll explain how to perform ssh and scp without entering the password using the SSH Public Key authentication with SSH Agent on openSSH

There are two levels of security in the SSH key based authentication. In order for you to login, you need both the private key and the passphrase. Even if one of them is compromised, attacker still cannot login to your account, as both of them are needed to login. This is far better than typical password based authentication, where if the password is compromised, attacker can gain access to the system.

There are two ways to perform ssh and scp without entering the password:

  1. No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option.
  2. Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.

Following 8 steps explains how to perform SSH and SCP from local-host to a remote-host without entering the password on openSSH system

1. Verify that local-host and remote-host is running openSSH

[local-host]$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

[remote-host]$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

2. Generate key-pair on the local-host using ssh-keygen

[local-host]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter>
Enter passphrase (empty for no passphrase): <Enter your passphrase here>
Enter same passphrase again:<Enter your passphrase again>
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
31:3a:5d:dc:bc:81:81:71:be:31:2b:11:b8:e8:39:a0 jsmith@local-host

The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.

By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.

3. Install public key on the remote-host.

Copy the content of the public key from the local-host and paste it to the /home/jsmith/.ssh/authorized_keys on the remote-host. If the /home/jsmith/.ssh/authorized_keys already has some other public key, you can append this to the end of it. If the .ssh directory under your home directory on remote-host doesn’t exist, please create it.

[remote-host]$ vi ~/.ssh/authorized_keys 
ssh-rsa ABIwAAAQEAzRPh9rWfjZ1+7Q369zsBEa7wS1RxzWR jsmith@local-host

In simple words, copy the local-host:/home/jsmith/.ssh/id_rsa.pub to remote-host:/home/jsmith/.ssh/authorized_keys

4. Give appropriate permission to the .ssh directory on the remote-host.

[remote-host]$ chmod 755 ~/.ssh
[remote-host]$ chmod 644 ~/.ssh/authorized_keys

5. Login from the local-host to remote-host using the SSH key authentication to verify whether it works properly.

[local-host]$ <You are on local-host here>

[local-host]$ ssh -l jsmith remote-host
Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here>
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail. [remote-host]$ <You are on remote-host here>

6. Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.

Verify whether SSH agent is already running, if not start it as shown below.

[local-host]$ ps -ef | grep ssh-agent
511 9789 9425 0 00:05 pts/1 00:00:00 grep ssh-agent

[local-host]$ ssh-agent $SHELL

[local-host]$ ps -ef | grep ssh-agent
511 9791 9790 0 00:05 ? 00:00:00 ssh-agent /bin/bash
511 9793 9790 0 00:05 pts/1 00:00:00 grep ssh-agent

7. Load the private key to the SSH agent on the local-host.

[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa: <Enter your passphrase here>
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)

Following are the different options available in the ssh-add:

  • ssh-add <key-file-name>: Load a specific key file.
  • ssh-add -l: List all the key loaded in the ssh agent.
  • ssh-add -d <key-file-name>: Delete a specificy key from the ssh agent
  • ssh-add -D: Delete all key

8. Perform SSH or SCP to remote-home from local-host without entering the password.

[local-host]$<You are on local-host here>

[local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>

Help me spread the news about The Geek Stuff.

Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can spread the word around about “The Geek Stuff” blog by adding it to del.icio.us or Digg through the link below.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • pH July 28, 2008, 3:21 pm

    The permissions of .ssh should not be 755 and 644 for authentication_keys
    It should be 700 and 600.

  • Jeremy August 6, 2008, 1:18 pm

    Step 4 refers to a file named “authorized_key” (“chmod 644 ~/.ssh/authorized_key”). It should be “authorized_keys” instead of “authorized_key”.

  • Ramesh August 6, 2008, 2:45 pm

    Jeremy,

    Thanks for pointing it out. I had it correct on step#3 and made a typo on step#4.

    I have corrected step#4 properly now.

  • shiva chandar December 23, 2008, 8:47 am

    Thank you so much for the information. I got it…!!!!!!!! 🙂

  • steve nieves September 17, 2009, 8:19 pm

    Thank you. I was not sure if this would apply to my ubuntu system on my netbook but it worked flawlessly.

  • satheesh mohan June 21, 2010, 11:48 pm

    I did everything as mentioned above. But unable to perform scp or ssh without a password prompt.

  • john February 1, 2011, 4:41 pm

    Thanks for the stuff, did just as you exlpained

  • Paul February 11, 2011, 11:27 pm

    Thanks for the notes on how to get ssh-agent up and running. Good concise info. All worked as expected after I followed along with this article.

    Thanks!

  • John May 12, 2011, 3:41 pm

    Most excellent article. Clear, concise, and to the point. It works on AIX and OpenSSH versions 0.9.8g and 1.0.0a. Thanks!

  • K.Bala November 2, 2011, 2:43 am

    Thanks..
    Good Stuff, it’s worked me..

  • dexter January 28, 2012, 7:29 am

    Hi,

    Awesome explaination…I have a doubt…..after connecting to remote host is there any way to come back to the localhost through any command instead of opening a new session.

  • abhay February 5, 2012, 9:03 pm

    Is there anyway I can use Centralized CA to use PKI and What about CISCO devices?

  • Tom February 12, 2012, 10:58 am

    Thank you thank you thank you.

    Have been meaning to put a proper backup solution in place for my site, but am a relative noob when it comes to linux. Followed this and it works perfectly, first time

    Thanks again!

  • prateek February 14, 2012, 11:08 pm

    Thank u soo much ..

    this really works for me .

  • dhongki February 16, 2012, 9:02 pm

    is this possible to use in crontab?

  • dhongki February 16, 2012, 11:18 pm

    the problem i found with this one is that when you close the terminal you have to re-run again the ssh-agent and re-enter a passphrase in ssh-add

  • Michael February 28, 2012, 12:03 am

    Thanks! It works very well.

  • Daniel April 2, 2012, 4:51 am

    Thanks !! its very usefull

  • Deepak April 16, 2012, 2:59 am

    Hi
    i followed the above method procedure but the login didnt happen without the password prompt, i have host machine as OSX, and trying to login to remote machine which is launched, on virtual box which is Linux machine.

  • Anonymous June 8, 2012, 9:17 pm

    It is absolutely fantastic blog to learn different stuff regarding the linux

  • blackcat August 7, 2012, 9:42 am

    on step 5 , it doesn’t prompt for passphrase., simply logs-in-to remote server.
    But there it still asks for password..

  • siva kesava November 16, 2012, 9:30 am

    This info very useful and clear to generate RAS

    Thank you so much

  • Eric Koester November 24, 2012, 1:32 pm

    In step 3, you don’t show HOW to copy the file from the local machine to the remote machine.
    Could you fill in that step, please?
    Thanks!

  • Haytham A January 11, 2013, 8:12 pm

    Thank for a well written post.
    I was able to remote copy without having the ssh-agent running. I don’t think it is a required step.
    One of the comments asked for an example of copying from a local to a remote machine. Here is one:
    scp mylocalfile userNameForRemoteMachine@remoteMachine:/some/directory/on/remote/machine

    Of course instead of a single file you can specify a directory and use the -r directive to copy all its contents recursively.

  • rajesh January 17, 2013, 6:10 am

    Thanks for the steps mentioned
    Is it possible to scp using the same steps from linux to windows …
    i tried a lot to do it with out password from linux to windows but not able to succeed … Please help if any changes are required or to install some thing else …

  • Pankaj February 17, 2013, 4:09 pm

    Thanks for the info.
    I had searched a number of places before I landed here. It really is a concise article. Very clear and easy to follow steps.

  • jet July 5, 2013, 3:14 am

    This is a great help for me, especially step 6 and 7. Thank you for info.

  • Ryan August 4, 2013, 2:00 pm

    I tried following your instructions. However, when I ssh into the remote host, it asks me for a password. I am needing to do this with no password so I can set up a cron to transfer files from the remote to local machine. I added the key to the “authorized_keys” file on the remote server.

    I am confused about step 5: [local-host]$ ssh -l jsmith remote-host

    It only works for me if I so ssh -l root remote-host, and, of course, I have to enter a password still. Thanks.

    Maybe it’s worth mentioning I’m on an EC2 Amazon server. My username is “ubuntu” by default.

    I tried generating a second key pair, with no passphrase, but it didn’t work either.

    Forgot to check” notify me of followup” on the last one…so if you responded to that one, I might not ever see it, so I”m sending this note in case you just respond to the last one you see.

  • Rishi September 10, 2013, 3:15 pm

    Your examples are very clear and concise. Thanks!
    –rishi

  • Anonymous September 17, 2013, 7:43 am

    Hi Ramesh,

    I have been trying to tranfer script to the newly deployed Linux m/c.
    My requirement is ,as its newly deployed linux machine when i try to do scp, it will ask me to provide Key authentication. i am automating a task where i need to send file to the new machine and execute it there.

    Can you please share your idea to come out of the issue

    Regards
    Vishwa 

  • Jeroen October 9, 2013, 3:03 am

    If you opt for the ssh keypair without passphrase, try and make things as secure as possible by setting the account on the other side as scp only.

    You can do this by setting the shell for that user as /bin/false and chroot-ing the user to it’s homedir via de sshd_config file (you can specify users and/or groups).

  • Mario de Sá Vera December 19, 2013, 4:09 pm

    Dear Ramesh,

    good to be dealing with the ones that know what they are talking about !!!

    thanks for you post , it was the only one that worked it out alright !

    Mário.

  • Sivagnanam March 7, 2014, 12:06 pm

    Hi Ramesh,
    The Geek Stuff is always an important website for me, Basically It encourage me to learn technology. Especially it make passion toward linux and opensource. I thank you for such work. All your tips are worth and important for me.

    Thanks and regards,
    Sivagnanam A.
    Tamilnadu, India.

  • Kenny Black April 17, 2014, 9:49 am

    I can SSH without a password prompt, but scp still prompts for a password. Is there a way around this?
    Thanks,
    Kenny Black

  • Patrick May 9, 2014, 8:01 am

    This article is very good for first-timers like me in this area.

  • Amal June 19, 2014, 6:28 am

    Hi thanks for posting this Article.

    am facing some issue. while scheduling the cron job. if am manually running means that will work. but it’s not working via cron. Please help me.

  • Amal June 20, 2014, 1:19 am

    Thanks Ramesh Sir,

    i Got it, it’s working fine.

    Please share your gmail id.

  • Nagashetty June 25, 2014, 4:24 am

    Thank You So Much.It worked for me!!

  • Dan Krissell July 29, 2014, 7:18 am

    Perfect. Could not have been more clear. Thank you, Dan

  • Amal August 19, 2014, 5:11 am

    Hi All,

    Is there any possibility is there for particular user. because i have disabled root password. Please help me. it’s bit urgent.

  • Eric Koester February 15, 2015, 9:16 pm

    After some searching, I found the answer to what SHOULD be listed in step 3 above, There is a very specific command just for this purpose.

    3. Copy the Public Key to the Remote Computer:
    Use the command “ssh-copy-id” to accomplish this
    More specifically:
    ssh-copy-id -i ~/.ssh/id_rsa.pub user@machineaddress
    If the SSH port number of the remote computer is different than port 22, then you need to have quotes around the last part of the command, like so:
    ssh-copy-id -i ~/.ssh/id_rsa.pub “user@machineaddress -p portnumber”

  • pk.babu May 28, 2015, 8:48 am

    This article is very good&help for me. Thank you so much

  • Prem April 18, 2016, 6:13 am

    Hi,
    I have loaded the key in ssh-agent [ssh-add] and got confirmation saying Identity added but when i try to “ssh -l uname Dest_ip” it’s prompting for password but originally i wanted to do scp so tried “scp uname@dest_ip” but still it’s prompting for password, please help me on this, how to avoid the same.