![[OpenSSH Logo]](http://static.thegeekstuff.com/wp-content/uploads/2008/05/openssh-300x99.gif "[OpenSSH Logo]")
You can login to a remote Linux server without entering password in 3 simple steps using ssky-keygen and ssh-copy-id as explained in this article.
ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.
This article also explains 3 minor annoyances of using ssh-copy-id and how to use ssh-copy-id along with ssh-agent.
Step 1: Create public and private keys using ssh-key-gen on local-host
jsmith@local-host$ [Note: You are on local-host here] jsmith@local-host$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key] Enter passphrase (empty for no passphrase): [Press enter key] Enter same passphrase again: [Pess enter key] Your identification has been saved in /home/jsmith/.ssh/id_rsa. Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub. The key fingerprint is: 33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith@local-host
Step 2: Copy the public key to remote-host using ssh-copy-id
jsmith@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host jsmith@remote-host's password: Now try logging into the machine, with "ssh 'remote-host'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
Step 3: Login to remote-host without entering the password
jsmith@local-host$ ssh remote-host Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2 [Note: SSH did not ask for password.] jsmith@remote-host$ [Note: You are on remote-host here]
The above 3 simple steps should get the job done in most cases.
We also discussed earlier in detail about performing SSH and SCP from openSSH to openSSH without entering password.
If you are using SSH2, we discussed earlier about performing SSH and SCP without password from SSH2 to SSH2 , from OpenSSH to SSH2 and from SSH2 to OpenSSH.
Using ssh-copy-id along with the ssh-add/ssh-agent
When no value is passed for the option -i and If ~/.ssh/identity.pub is not available, ssh-copy-id will display the following error message.
jsmith@local-host$ ssh-copy-id -i remote-host /usr/bin/ssh-copy-id: ERROR: No identities found
If you have loaded keys to the ssh-agent using the ssh-add, then ssh-copy-id will get the keys from the ssh-agent to copy to the remote-host. i.e, it copies the keys provided by ssh-add -L command to the remote-host, when you don’t pass option -i to the ssh-copy-id.
jsmith@local-host$ ssh-agent $SHELL
jsmith@local-host$ ssh-add -L
The agent has no identities.
jsmith@local-host$ ssh-add
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)
jsmith@local-host$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsJIEILxftj8aSxMa3d8t6JvM79DyBV
aHrtPhTYpq7kIEMUNzApnyxsHpH1tQ/Ow== /home/jsmith/.ssh/id_rsa
jsmith@local-host$ ssh-copy-id -i remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[Note: This has added the key displayed by ssh-add -L]
Three Minor Annoyances of ssh-copy-id
Following are few minor annoyances of the ssh-copy-id.
- Default public key: ssh-copy-id uses ~/.ssh/identity.pub as the default public key file (i.e when no value is passed to option -i). Instead, I wish it uses id_dsa.pub, or id_rsa.pub, or identity.pub as default keys. i.e If any one of them exist, it should copy that to the remote-host. If two or three of them exist, it should copy identity.pub as default.
- The agent has no identities: When the ssh-agent is running and the ssh-add -L returns “The agent has no identities” (i.e no keys are added to the ssh-agent), the ssh-copy-id will still copy the message “The agent has no identities” to the remote-host’s authorized_keys entry.
- Duplicate entry in authorized_keys: I wish ssh-copy-id validates duplicate entry on the remote-host’s authorized_keys. If you execute ssh-copy-id multiple times on the local-host, it will keep appending the same key on the remote-host’s authorized_keys file without checking for duplicates. Even with duplicate entries everything works as expected. But, I would like to have my authorized_keys file clutter free.
If you like this article, please bookmark it on Delicious and Stumble it.
If you enjoyed this article, you might also like..
|
|
|
|
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
{ 22 comments… read them below or add one }
nice article…
i used to use this ssh-keygen for generating the keys, and copy the keys using scp. But this ssh-copy-id is new…
users feel great about this, when your environment needs to use more than one servers frequently
Hi, I’ve also never heard about ssh-copy-id, great thing. You can also use the “keychain” tool.
Nice article Ramesh.
hi,
Thats strange, i follow all these steps and others step founded in google.
None is worked, ssh still asking me for password.
I use Centos and FC9
@Sathiya,
Yeah, lot of people overlook ssh-copy-id, as you can still copy the keys manually.
@mk_michael,
I believe you are talking about the keychain tool that is mentioned in gentoo.org. I have not used this before. Thanks for bringing this to our attention. I’ll check it out.
@Jadu Saikia,
Thanks for your comments. I appreciate it.
@domainnameyahoo,
You may want to run the ssh in debug mode to identify what could be the problem. Please refer to section 4 in the 5 Basic Linux SSH Client Commands on how to debug ssh client connection.
Geeks,
If ssh-copy-id command not found on your system please use the following method.
#scp ~/.ssh/id_rsa.pub user@remotehost:/home/user/
This will ask you the password of the user you have mentioned
#cat id_rsa.pub >> /home/user/.ssh/authorized_keys
that’s it, you have done it.
when I execute the command
ssh-copy-id -i ~/.ssh/id_rsa.pub ip.ip.ip.ip
I get the following error.
root@ip.ip.ip.ip’s password:
stdin: is not a tty
Please advice
Thanks
Please try with one of the following:
ssh-copy-id -i -t ~/.ssh/id_rsa.pub ip.ip.ip.ip
ssh-copy-id -i -q ~/.ssh/id_rsa.pub ip.ip.ip.ip
ssh-copy-id -i -T ~/.ssh/id_rsa.pub ip.ip.ip.ip
else, use another method,
#scp ~/.ssh/id_rsa.pub user@remotehost:/home/user/
This will ask you the password of the user you have mentioned
#cat id_rsa.pub >> /home/user/.ssh/authorized_keys
Thanks,
Jai
when i tried ssh-copy-id ~/.ssh/id_rsa.pub jaliu@beeeater. i.e user@remote-host. i got an error; ssh: Could not resolve hostname /home/bayeni/.ssh/id_rsa.pub: Name or service not known. please what do i do
I’ve done this before, but wanted a quick reference check. I’d not come across ssh-copy-id. Thanks!
One small typo:
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
should read
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_keys.
Notice authorized_key*s* . Thanks for the article!
Verry good post
THanks or this 
i’m french and i’m looking for scp script in order to backup my data everyday 
@hams2
I found this tutorial about doing backups securely with ssh
http://troy.jdmz.net/rsync/index.html
Thank you, it’s good tutorial
Very good instructions. Thank-you.
Thanks, for your help…..
Very nice tutorial! keep it up guys!
I’m a bit confused. It seems you can add your public key to the remote host and grant yourself access. This seems like no security at all. What am I missing?
@Anonymous
You won’t be able to add your public key on a server where you don’t have a valid login/password combination.
And just to add my own geek stuff :
To get a password-less connection from local user1 to remote user2, copy the user1 public key(id_rsa.pub) to the remote user2 “authorized_keys” file using a pipe over ssh:
$ cat /home/user1/.ssh/id_rsa.pub |ssh root@remote_server ‘cat >> /home/user2/.ssh/authorized_keys’
This would do the same job as ssh-copy-id without the 2 out of 3 “weak” points revealed by rameesh.
Geek stuff strikes again. Keep up the great articles.
Neat. This was easy to set up on one of my computers. On the other one, it was a bit more stubborn. For the benefit of someone else who’s bit by it, sshd will not accept an authorized_keys file if either directory ~/.ssh or ~ are writable by Group or Others. The difficult system was PCBSD, in which every user also has their own group and their directory is writable to that group.
Doesn’t work for me. It gives me “Agent admitted failure to sign using the key.” message when I try to log in without password.