How to Set Up a Password-less SSH Login
Setting up passwordless SSH logins is a great way to speed up connections to regularly accessed remote Macs and unix boxes. Because not all versions of Mac OS X include the ssh-copy-id command, you may have to use cat or scp to copy over your ssh key. This is how to set everything up, it only takes a minute or so.
First, on the local machine you will want to generate a secure SSH key:
ssh-keygen
Walk through the key generator and set a password, the key file by default goes into ~/.ssh/id_rsa
Next, you need to copy the generated key to the remote server you want to setup passwordless logins with, this is easily done with the following command string but you can use ssh-copy-id or scp if you’d prefer:
cat ~/.ssh/id_dsa.pub | ssh user@remotehost 'cat >> ~/.ssh/authorized_keys'
(Remember to replace “user@remotehost” with the appropriate username and remote IP address or domain of the server)
This command takes the generated SSH key from the local machine, connects to the remote host via SSH, and then uses cat to append the key file to the remote users authorized key list. Because this connects with SSH to the remote machine you will need to enter the regular ssh login password to use this command.
Finally, confirm that you can now login to the remote SSH server without a password:
ssh user@remotehost.com
Assuming initial setup went as intended, you will connect to the remote machine without having to log in. You can shorten the connection steps even further by creating an alias in bash_profile so that you are only required to type a short command to immediately connect to the specified remote server.
There are some obvious potential security risks with using ssh without a password, the best way to mitigate that is to lock down the client machine with lock screens for screen savers and sleep, using a lock screen keyboard shortcut when you leave a workstation unattended, and setting appropriate login passwords, and enable FileVault disk encryption, all of which you should be utilizing anyway. You can even go a step further and enable a firmware password.
Note that cat ~/.ssh/id_dsa.pub should now be cat ~/.ssh/id_rsa.pub on current Macs.
Also, you may have to manually create the .ssh directory on the remote server first.
This is not working with the MAC mini. Can anyone suggest solution to this.
So many articles address using SSH keys to connect a terminal session to a remote server location, but this is the first article I found that succinctly explained setting up a server to receive remote SSH connections. It’s so easy when you “get it”. Thanks!
Thanks for the kind words Tony, glad this helped you setting up a password-free login with SSH!
Thank you!
Finally I can access a remote server from my MacBook Pro!
did not work for me trying to connect from ElCapitan to a mac mini. still asks for the password.
Can anyone suggest solution to this, even i am facing the same problem with mac mini
Thank you!! had to look around a bit before i found this page with easy steps that worked :)
You need on remote linux machine correct permissions ->
chmod go-w ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
this is exactly what worked for me after a few tries.
Thanks!
That got it working for me too!
+1 for me too! Thanks for this, it helped me sort out a connection from OS X 10.10 to Redhat Linux
The article starts out saying that, by default, the key file is written to ~/.ssh/id_rsa. Several lines further down it describes cat’ing ~/.ssh/id_dsa.pub. Is this an error, as several others have suggested? If so, I hope the author will make the correction.
No, id_rsa.pub is the public key that you need to move to the server. Both files are generated and the id_rsa file is your private key. You do not want that on a remote machine you do not control.
Oh, “dsa.pub” is definitely a typo, sorry.
Love the ssh-copy-id if you have it. Otherwise got to watch the newlines and any other characters. Even still, there was one time (at band camp) where I was putting up a two-node SLES cluster on VM and to make life easier I wanted them to ssh/scp to each other without password.
I tried multiple times (probably an hour) trying to copy/cat/sftp(then mv or cp) the file into the authorized_keys and it would not work!! It worked from node01 to node02 but not the other way around.
After about an hour of frustration, I tried google, found out about the ssh-copy-id (new to me..) and it worked easily. Not sure what I ended up doing wrong, but nowadays if ssh-copy-id is available, I use it first.
Worked great; thanks for concise instructions, including command-line detail.
Did not work for me. Actually, I used to set up this all the time in the early days of OS X and know the procedure by heart, but it seems to have stopped working for me some time around Leopard (10.5).
I created the public key on my Mac Pro running 10.8.2, and the machine I copied the public key to (and would like to connect to without password) is a Mac Mini running 10.6.8. Could the Mountain Lion->Snow Leopard connection be a source of by problem?
I also have a 15″ Retina MBP running 10.8.2 that I could test on, to see if I can get the two machines running 10.8.2 to see if they can connect without passwords.
I had to create a private key and leave it on my client to get it to work.
ssh-keygen -b 1024 -t rsa -f id_rsa -P “”
This doesn’t work for me :-(
I’m using Mountain Lion trying to connect to a Linux box (Linux cardiff 2.6.32.36-grsec)
Any ideas guys?
James, I use Mountain Lion and by default ssh-keygen generates an id_rsa.pub key instead of id_dsa.pub key.
Just copy id_rsa.pub as described above and it should work.
Will this only work if you are the same user on your mac as you are on the linux box?
Can this be set up to log in as a different user?
+1 for ssh-copy-id …
brew install ssh-copy-id
ssh-copy-id user@remotehost
The first step was to create an RSA key pair, but the second step currently has `cat ~/.ssh/id_dsa.pub`.
If the remote host doesn’t already have an .ssh directory, this should create it and the authorized_keys file with the correct permissions:
`cat ~/.ssh/id_rsa.pub | ssh user@host.com “umask 0077; mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys”`
The first zero in `umask 0077` means that it’s an octal number. 077 means that all permissions should be subtracted from group and other. (So created folders will have 700 and files 600 permissions by default.)
The authorized_keys file should not be accessible by everyone, while the ~/.ssh directory can have execute permission for everyone so anyone can collect your public key files (*.pub). Make sure the authorized_keys and private key files are well protected.
So better add umask:
cat ~/.ssh/id_dsa.pub | ssh user@remotehost ‘umask 066; cat >> ~/.ssh/authorized_keys’
Wont matter I’d you set a password during keygen. Nobody else can use it right.
You have a typo here “cat ~/.ssh/id_dsa.pub”. Plus, for ones who get “stdin: is not a tty” message, please check this out http://webhostingneeds.com/Git_stdin_is_not_a_tty
so useful, and pretty simple… but for more info
http://www.afp548.com/netboot/mactips/rsync.html
from bombich, carbon copy cloner author.