≡ Menu

3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id

[OpenSSH Logo]You can login to a remote Linux server without entering password in 3 simple steps using ssky-keygen and ssh-copy-id as explained in this article.

ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

This article also explains 3 minor annoyances of using ssh-copy-id and how to use ssh-copy-id along with ssh-agent.

Step 1: Create public and private keys using ssh-key-gen on local-host

jsmith@local-host$ [Note: You are on local-host here]

jsmith@local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith@local-host

Step 2: Copy the public key to remote-host using ssh-copy-id

jsmith@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.

Step 3: Login to remote-host without entering the password

jsmith@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[Note: SSH did not ask for password.]

jsmith@remote-host$ [Note: You are on remote-host here]


The above 3 simple steps should get the job done in most cases.

We also discussed earlier in detail about performing SSH and SCP from openSSH to openSSH without entering password.

If you are using SSH2, we discussed earlier about performing SSH and SCP without password from SSH2 to SSH2 , from OpenSSH to SSH2 and from SSH2 to OpenSSH.

Using ssh-copy-id along with the ssh-add/ssh-agent

When no value is passed for the option -i and If ~/.ssh/identity.pub is not available, ssh-copy-id will display the following error message.

jsmith@local-host$ ssh-copy-id -i remote-host
/usr/bin/ssh-copy-id: ERROR: No identities found


If you have loaded keys to the ssh-agent using the ssh-add, then ssh-copy-id will get the keys from the ssh-agent to copy to the remote-host. i.e, it copies the keys provided by ssh-add -L command to the remote-host, when you don’t pass option -i to the ssh-copy-id.

jsmith@local-host$ ssh-agent $SHELL

jsmith@local-host$ ssh-add -L
The agent has no identities.

jsmith@local-host$ ssh-add
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)

jsmith@local-host$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsJIEILxftj8aSxMa3d8t6JvM79DyBV
aHrtPhTYpq7kIEMUNzApnyxsHpH1tQ/Ow== /home/jsmith/.ssh/id_rsa

jsmith@local-host$ ssh-copy-id -i remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
[Note: This has added the key displayed by ssh-add -L]

Three Minor Annoyances of ssh-copy-id

Following are few minor annoyances of the ssh-copy-id.

  1. Default public key: ssh-copy-id uses ~/.ssh/identity.pub as the default public key file (i.e when no value is passed to option -i). Instead, I wish it uses id_dsa.pub, or id_rsa.pub, or identity.pub as default keys. i.e If any one of them exist, it should copy that to the remote-host. If two or three of them exist, it should copy identity.pub as default.
  2. The agent has no identities: When the ssh-agent is running and the ssh-add -L returns “The agent has no identities” (i.e no keys are added to the ssh-agent), the ssh-copy-id will still copy the message “The agent has no identities” to the remote-host’s authorized_keys entry.
  3. Duplicate entry in authorized_keys: I wish ssh-copy-id validates duplicate entry on the remote-host’s authorized_keys. If you execute ssh-copy-id multiple times on the local-host, it will keep appending the same key on the remote-host’s authorized_keys file without checking for duplicates. Even with duplicate entries everything works as expected. But, I would like to have my authorized_keys file clutter free.


If you like this article, please bookmark it on Delicious and Stumble it.

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 60 comments… add one }

  • sathiya November 21, 2008, 6:47 am

    nice article…

    i used to use this ssh-keygen for generating the keys, and copy the keys using scp. But this ssh-copy-id is new…

    users feel great about this, when your environment needs to use more than one servers frequently

  • mk_michael December 6, 2008, 3:06 pm

    Hi, I’ve also never heard about ssh-copy-id, great thing. You can also use the “keychain” tool.

  • Jadu Saikia December 8, 2008, 10:47 pm

    Nice article Ramesh.

  • domainnameyahoo April 29, 2009, 3:03 am

    hi,

    Thats strange, i follow all these steps and others step founded in google.

    None is worked, ssh still asking me for password.
    I use Centos and FC9

  • Ramesh Natarajan April 30, 2009, 6:23 pm

    @Sathiya,
    Yeah, lot of people overlook ssh-copy-id, as you can still copy the keys manually.
     
    @mk_michael,
    I believe you are talking about the keychain tool that is mentioned in gentoo.org. I have not used this before. Thanks for bringing this to our attention. I’ll check it out.
     
    @Jadu Saikia,
    Thanks for your comments. I appreciate it.
     
    @domainnameyahoo,
    You may want to run the ssh in debug mode to identify what could be the problem. Please refer to section 4 in the 5 Basic Linux SSH Client Commands on how to debug ssh client connection.

  • Jayachandran August 11, 2009, 8:46 pm

    Geeks,
    If ssh-copy-id command not found on your system please use the following method.
    #scp ~/.ssh/id_rsa.pub user@remotehost:/home/user/
    This will ask you the password of the user you have mentioned
    #cat id_rsa.pub >> /home/user/.ssh/authorized_keys

    that’s it, you have done it.

  • Faheem November 1, 2009, 10:38 pm

    when I execute the command
    ssh-copy-id -i ~/.ssh/id_rsa.pub ip.ip.ip.ip
    I get the following error.
    root@ip.ip.ip.ip’s password:
    stdin: is not a tty

    Please advice

    Thanks

  • Jayachandran November 3, 2009, 12:14 pm

    Please try with one of the following:
    ssh-copy-id -i -t ~/.ssh/id_rsa.pub ip.ip.ip.ip
    ssh-copy-id -i -q ~/.ssh/id_rsa.pub ip.ip.ip.ip
    ssh-copy-id -i -T ~/.ssh/id_rsa.pub ip.ip.ip.ip
    else, use another method,
    #scp ~/.ssh/id_rsa.pub user@remotehost:/home/user/
    This will ask you the password of the user you have mentioned
    #cat id_rsa.pub >> /home/user/.ssh/authorized_keys

    Thanks,
    Jai

  • A November 11, 2009, 3:27 pm

    when i tried ssh-copy-id ~/.ssh/id_rsa.pub jaliu@beeeater. i.e user@remote-host. i got an error; ssh: Could not resolve hostname /home/bayeni/.ssh/id_rsa.pub: Name or service not known. please what do i do

  • Snorfalorpagus December 10, 2009, 9:47 am

    I’ve done this before, but wanted a quick reference check. I’d not come across ssh-copy-id. Thanks!

  • tayfun December 23, 2009, 2:21 am

    One small typo:
    Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
    should read
    Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_keys.

    Notice authorized_key*s* . Thanks for the article!

  • hams2 February 22, 2010, 11:27 am

    Verry good post :) THanks or this :) i’m french and i’m looking for scp script in order to backup my data everyday :)

  • htx202yl March 24, 2010, 7:18 am

    @hams2
    I found this tutorial about doing backups securely with ssh
    http://troy.jdmz.net/rsync/index.html

  • midou June 5, 2010, 4:33 am

    Thank you, it’s good tutorial

  • lxtips August 17, 2010, 10:15 pm

    Very good instructions. Thank-you.

  • Sathish Kumar December 7, 2010, 5:52 am

    Thanks, for your help…..

  • winx March 22, 2011, 3:42 am

    Very nice tutorial! keep it up guys!

  • Anonymous April 28, 2011, 12:28 am

    I’m a bit confused. It seems you can add your public key to the remote host and grant yourself access. This seems like no security at all. What am I missing?

  • Pier May 21, 2011, 2:36 pm

    @Anonymous
    You won’t be able to add your public key on a server where you don’t have a valid login/password combination.

    And just to add my own geek stuff :
    To get a password-less connection from local user1 to remote user2, copy the user1 public key(id_rsa.pub) to the remote user2 “authorized_keys” file using a pipe over ssh:

    $ cat /home/user1/.ssh/id_rsa.pub |ssh root@remote_server ‘cat >> /home/user2/.ssh/authorized_keys’

    This would do the same job as ssh-copy-id without the 2 out of 3 “weak” points revealed by rameesh.

  • jaxxm July 14, 2011, 4:35 am

    Geek stuff strikes again. Keep up the great articles.

  • Patrick November 28, 2011, 11:54 pm

    Neat. This was easy to set up on one of my computers. On the other one, it was a bit more stubborn. For the benefit of someone else who’s bit by it, sshd will not accept an authorized_keys file if either directory ~/.ssh or ~ are writable by Group or Others. The difficult system was PCBSD, in which every user also has their own group and their directory is writable to that group.

  • marines December 6, 2011, 5:17 am

    Doesn’t work for me. It gives me “Agent admitted failure to sign using the key.” message when I try to log in without password.

  • Oded February 27, 2012, 3:36 am

    +1 Very helpful and very simple

  • Anonymous March 1, 2012, 2:38 pm

    very good

  • Doalwa March 15, 2012, 6:21 am

    Nice tutorial, adequate security really doesn’t get any easier than this..you gotta love Unix/Linux!

  • Deepesh May 3, 2012, 3:54 am

    Thanks a lot bro…………
    It was very very helpful for me………………..

  • Mark Hahn May 30, 2012, 7:27 pm

    DO NOT FOLLOW THIS RECIPE NAIVELY – it is very dangerous, since a key with no passphrase is the moral equivalent of dumping your password in a file in the clear. Anyone who gets even momentary access to your private key TOTALLY OWNS any accounts where you’ve installed the public part.

    The only way you should use an unencrypted key (no passphrase) is if you can guarantee total and eternal security of the private part. This might be possible, but is highly unlikely. That said, there are just two responsible ways to use keys:
    – encrypt the key by providing a passphrase when you generate it. this may seem strange, since to use it, you’ll need to provide the passphrase, which is presumably harder than a password. and *that* is why ssh-agent exists: it lets you supply the passphrase once, not every time. (you can have ssh-agent timeout the passphrase after a fixed time, or keep it as long as its running.)
    – constrain the key wherever it’s installed, so that it can only perform some limited function. for instance, if the key’s purpose is to permit something unattended like a backup, use openssh’s “command=” syntax so that the key can only be used for that, not to get a shell or tunnel through firewalls. (“man sshd” to see the syntax for the .authorized_keys file – constraining a key to particular client machines is also a good idea, etc.)

  • Manohar Viswanatha August 1, 2012, 12:20 am

    Does typing only ssh-keygen generates keys or shall we should also mention the key type , i mean rsa……….. because when i entered ssh-keygen its asking for the keytype with -t option

  • Luke Stanley August 4, 2012, 1:50 pm

    Please point out very obviously in the original post that step 1 may have been done already and if so only step 2 may be needed!

  • Roger August 16, 2012, 3:23 pm

    There’s a step still missing. I’ve done all the steps and I’m still prompted to enter a password… I believe there is a KEON change that needs to happen as well. Also, the public key is using the short name for the host, but you need to use the full qualified name to ssh, scp, or sftp. So,… how do we get the ssh-keygen to allow for use to type in a server name….

  • Rotsen September 19, 2012, 2:30 pm

    The tutorial works for me if I do it as root but that creates a security hole. When a create a user ‘user_ssh’ and follow the intructions, it seems to work but when I do
    an ‘ssh hostname’ it asks me for:
    Enter passphrase for key ‘/home/user_rsync/.ssh/id_rsa’:

    Why does it not work ad a regular user?

    Update: OK I got it to work by adding quotes on the “ssh” statement. See my cron below:
    ———————
    #!/bin/sh

    # the line below works for root
    #rsync -av –progress –stats –exclude “*.LCK” -e ssh user_rsync@remotehost:/home/www/ /home/www

    # the line below works for none root user
    rsync -av –progress –stats –exclude “*.LCK” -e “ssh -i /home/user_rsync/.ssh/id_rsa.pub user_rsync@remotehost:/home/www/” /home/www

  • Rotsen September 19, 2012, 4:43 pm

    One thing that worries me now is that before when the user was root the report creared only show and overall of totals when no files were transfered but now that I am doing the rsync as a regular user the email I get has a list of all the files even if no files were transfer. I hope some one is reading this…………..

  • icone September 27, 2012, 4:39 am

    Please do note Patrick’s comment:
    “sshd will NOT ACCEPT an authorized_keys file if either directory ~/.ssh or ~ are writable by Group or Others”
    SSH would still ask for a password.
    This solved my problem.
    Remove a user from a group:
    ‘sudo gpasswd -d user-to-remove group’

  • cubsfan December 7, 2012, 8:49 am

    Nice article. Easy to follow and understand.

  • devender shekhawat February 20, 2013, 3:52 am

    when i used
    jsmith@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host

    error no remote host.is it possible to create 2 host in single machine.please tell me the process.how to overcome that error.

  • Abyakta February 26, 2013, 1:56 pm

    Hi

    I did the exact step but it still ask for the password.

    Please tell me where i am going wrong.

    Regards
    Abyakta

  • anonymous March 11, 2013, 12:03 pm

    Very Useful Steps. I just used and it worked quite well.. Thanks!

  • Reza March 25, 2013, 7:05 am

    Finally you solved my problem! Thanks

  • Dhandayuthabani March 30, 2013, 12:24 am

    I followed that three steps. but, knows hosts files does not exists in .ssh/ directory again it asks password from the user. what i have to do.

    Thanks & Regards
    Dhandayuthabani

  • jonnybignote April 29, 2013, 4:00 pm

    I can make this work by typing the command into terminal, and by running the shell script it is inside, but it will not run through the remote control I’m using (to keep a media center mythtv backend from shutting down by sending a lock command) It lists a failed password

    Any ideas?
    Thanks

  • JRM June 12, 2013, 11:10 am

    Is necessary the same user account on both hosts? Local and remote?

  • Anonymous June 12, 2013, 12:50 pm

    If you’re trying to login to a Red Hat host, this might help.

  • Nexus July 4, 2013, 5:33 am

    Should you encounter a message such as:
    Ambigous output redirect
    …try the below approach
    cat ~/.ssh/id_rsa.pub | ssh user@hostname ‘umask 077; mkdir -p .ssh; cat >> .ssh/authorized_keys’

    If you have a lot of hosts to update the authorized_keys, you may try the below
    Add the below line to your .cshrc file (this works only with csh/tcsh)
    alias sshcpid “cat ~/.ssh/id_rsa.pub | ssh \!:1 ‘umask 077; mkdir -p .ssh; cat >> .ssh/authorized_keys'”
    Source the .cshrc before you can execute the alias
    >source ~/.cshrc
    Execute the alias by passing the username & hostname as parameters
    >sshcpid user@hostname

  • Patrick September 1, 2013, 11:59 am

    Interesting. I followed the steps from Step 2 on (I already have a key generated, which has a passphrase attached). When I tried to ssh in as my user, I’m still prompted for a password. But, if I try to ssh in as root, I’m prompted for my passphrase (the first time after a reboot) and it logs me in automatically.

    I’m going from an Ubuntu 13.04 machine to a Fedora 19 machine. The other interesting thing is, I have a customized .bashrc file on both the user and root profiles. When I ssh in as the user, I have to run source .bashrc to get it working, but when I log in as root, it does it automatically.

    Could it be that I’ve never logged in on the remote machine physically as the user by chance? (It’s a home server running Amahi Home Server)

    Have a great day.:)
    Patrick.


    In addition to my above comment, I also copied it to my mythbuntu machine, and it works perfectly. I’m thinking that it might be because the password isn’t the same on the server (for my user).

  • Stefan Ivanov September 19, 2013, 1:01 pm

    This is work for me
    ssh-copy-id “user@remote-host -p 4242″ -i ~/.ssh/id_rsa.pub

  • MrGmaw September 25, 2013, 8:47 am

    Great man. Thank you so much.

  • rowthu vijayakrishna October 7, 2013, 7:20 am

    thanks for watering the Linux Tree, and thanks for making the explanation on “free remote logging” lucid.

  • akhilesh November 15, 2013, 8:04 am

    great article ramesh.

    but i couldn’t login to the remote server without the password even if the file content of id_rsa.pub are same as of .ssh/authorized_keys

  • Ramu December 7, 2013, 12:44 am

    Hi Ramesh.. can you pls help regarding how to copy the file from one server to another sverver using scp command with password. i am using scp command to copy the file from one to another. that scripts works fine.so if we run that script via crontab then it fails.problem is password .it is not taking that password while run the cronjob.
    debug1: Trying private key: /home/postgres/.ssh/id_dsa

    debug1: Next authentication method: password

    postgres@192.168.3.117‘s password:

    error log is coming to here only.we are thinking like password is not taking automatucally

    thanks in advance

  • green man December 17, 2013, 4:37 am

    its simply great boss

  • Roman January 28, 2014, 3:28 pm

    on OS X
    sudo port install openssh
    default osx ssh client didn’t have ssh-copy-id utils
    thanks for article

  • Elie February 9, 2014, 2:16 am

    Thank you, that was very useful!

  • Wagner February 14, 2014, 3:36 pm

    Very usefull, congratulations !!!

  • mohan March 19, 2014, 2:28 am

    Eventhough i successfully completed the 2 Step, it still asking for password, Please tell me is there any changes i have to do.

    Thanks..

  • spellinator April 22, 2014, 4:55 pm

    If anyone is still being prompted for a password after doing these steps, it may be that Secure Enterprise Linux is enabled on the remote_server.

    Check with the “getenforce” command.

    Turn it off with “setenforce 0″ command.

  • Luís Felipe de Andrade May 15, 2014, 11:18 am

    Thanks for the useful post!. Always, when i need add a new server, i came to this link to see how to do.

  • Sury June 4, 2014, 12:30 pm

    Thanks for the useful post…. What happens when you change the password for the login in the remote server…

  • Ramesh RC July 25, 2014, 6:58 am

    Tried it a few time, your instructions are clear but somewhere I believe we are missing some config. I am running this on RHEL

    I am prompted with the password everytime, looks like it skips the password less authentication method…attached the verbose log, your help is appreciated.

    [jirauser@ldsrvcqmbldp002 .ssh]$ ssh -v jirauser@10.x.x.x
    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 10.x.x.x. [10.x.x.x] port 22.
    debug1: Connection established.
    debug1: identity file /home/jirauser/.ssh/id_rsa type 1
    debug1: identity file /home/jirauser/.ssh/id_dsa type -1
    debug1: loaded 2 keys
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
    debug1: match: OpenSSH_4.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '10.x.x.x' is known and matches the RSA host key.
    debug1: Found key in /home/jirauser/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received

    Cable&Wireless Worldwide

    This is a private system. Do not attempt to login unless you are an authorised
    user. Any authorised or unauthorised access and use may be monitored and can
    result in criminal or civil prosecution under applicable law.

    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure. Minor code may provide more information
    No credentials cache found

    debug1: Unspecified GSS failure. Minor code may provide more information
    No credentials cache found

    debug1: Unspecified GSS failure. Minor code may provide more information
    No credentials cache found

    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/jirauser/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug1: Trying private key: /home/jirauser/.ssh/id_dsa
    debug1: Next authentication method: password
    jirauser@10.x.x.x's password:

  • mila February 18, 2015, 7:40 am

    I tried ssh-copy-id -i ~/.ssh/[file.pub] [remote host] but received these messages:

    /usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

    /usr/local/bin/ssh-copy-id: ERROR: ssh: connect to host [remote host] port 22: Connection refused

    How do I solve this?

  • tungds May 25, 2015, 1:07 am

    Thanks, after deleting all files in /.ssh and following your step, ssh doesn’t require pass

Leave a Comment