How to Set Up a Password-less SSH Login

May 25, 2012 - 29 Comments

Set up password-less SSH logins

Setting up passwordless SSH logins is a great way to speed up connections to regularly accessed remote Macs and unix boxes. Because not all versions of Mac OS X include the ssh-copy-id command, you may have to use cat or scp to copy over your ssh key. This is how to set everything up, it only takes a minute or so.

First, on the local machine you will want to generate a secure SSH key:

ssh-keygen

Walk through the key generator and set a password, the key file by default goes into ~/.ssh/id_rsa

Next, you need to copy the generated key to the remote server you want to setup passwordless logins with, this is easily done with the following command string but you can use ssh-copy-id or scp if you’d prefer:

cat ~/.ssh/id_dsa.pub | ssh user@remotehost 'cat >> ~/.ssh/authorized_keys'

(Remember to replace “user@remotehost” with the appropriate username and remote IP address or domain of the server)

This command takes the generated SSH key from the local machine, connects to the remote host via SSH, and then uses cat to append the key file to the remote users authorized key list. Because this connects with SSH to the remote machine you will need to enter the regular ssh login password to use this command.

Finally, confirm that you can now login to the remote SSH server without a password:

ssh user@remotehost.com

Assuming initial setup went as intended, you will connect to the remote machine without having to log in. You can shorten the connection steps even further by creating an alias in bash_profile so that you are only required to type a short command to immediately connect to the specified remote server.

There are some obvious potential security risks with using ssh without a password, the best way to mitigate that is to lock down the client machine with lock screens for screen savers and sleep, using a lock screen keyboard shortcut when you leave a workstation unattended, and setting appropriate login passwords, and enable FileVault disk encryption, all of which you should be utilizing anyway. You can even go a step further and enable a firmware password.

.

Related articles:

Posted by: William Pearson in Command Line, Mac OS, Tips & Tricks

29 Comments

» Comments RSS Feed

  1. Doug Lerner says:

    Note that cat ~/.ssh/id_dsa.pub should now be cat ~/.ssh/id_rsa.pub on current Macs.

    Also, you may have to manually create the .ssh directory on the remote server first.

  2. swaroop says:

    This is not working with the MAC mini. Can anyone suggest solution to this.

  3. Tony Chung says:

    So many articles address using SSH keys to connect a terminal session to a remote server location, but this is the first article I found that succinctly explained setting up a server to receive remote SSH connections. It’s so easy when you “get it”. Thanks!

  4. Susan Sailow says:

    Thank you!
    Finally I can access a remote server from my MacBook Pro!

  5. parag says:

    did not work for me trying to connect from ElCapitan to a mac mini. still asks for the password.

  6. aj says:

    Thank you!! had to look around a bit before i found this page with easy steps that worked :)

  7. rajan says:

    You need on remote linux machine correct permissions ->

    chmod go-w ~
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys

  8. Chap says:

    The article starts out saying that, by default, the key file is written to ~/.ssh/id_rsa. Several lines further down it describes cat’ing ~/.ssh/id_dsa.pub. Is this an error, as several others have suggested? If so, I hope the author will make the correction.

    • keinebremsen says:

      No, id_rsa.pub is the public key that you need to move to the server. Both files are generated and the id_rsa file is your private key. You do not want that on a remote machine you do not control.

    • keinebremsen says:

      Oh, “dsa.pub” is definitely a typo, sorry.

  9. ben says:

    Love the ssh-copy-id if you have it. Otherwise got to watch the newlines and any other characters. Even still, there was one time (at band camp) where I was putting up a two-node SLES cluster on VM and to make life easier I wanted them to ssh/scp to each other without password.

    I tried multiple times (probably an hour) trying to copy/cat/sftp(then mv or cp) the file into the authorized_keys and it would not work!! It worked from node01 to node02 but not the other way around.

    After about an hour of frustration, I tried google, found out about the ssh-copy-id (new to me..) and it worked easily. Not sure what I ended up doing wrong, but nowadays if ssh-copy-id is available, I use it first.

  10. Worked great; thanks for concise instructions, including command-line detail.

  11. Leaman Crews says:

    Did not work for me. Actually, I used to set up this all the time in the early days of OS X and know the procedure by heart, but it seems to have stopped working for me some time around Leopard (10.5).

    I created the public key on my Mac Pro running 10.8.2, and the machine I copied the public key to (and would like to connect to without password) is a Mac Mini running 10.6.8. Could the Mountain Lion->Snow Leopard connection be a source of by problem?

    I also have a 15″ Retina MBP running 10.8.2 that I could test on, to see if I can get the two machines running 10.8.2 to see if they can connect without passwords.

  12. Karl says:

    I had to create a private key and leave it on my client to get it to work.
    ssh-keygen -b 1024 -t rsa -f id_rsa -P “”

  13. James says:

    This doesn’t work for me :-(
    I’m using Mountain Lion trying to connect to a Linux box (Linux cardiff 2.6.32.36-grsec)
    Any ideas guys?

    • Isabelle says:

      James, I use Mountain Lion and by default ssh-keygen generates an id_rsa.pub key instead of id_dsa.pub key.
      Just copy id_rsa.pub as described above and it should work.

  14. Jeff says:

    Will this only work if you are the same user on your mac as you are on the linux box?
    Can this be set up to log in as a different user?

  15. Moti says:

    +1 for ssh-copy-id …

  16. pencil says:

    brew install ssh-copy-id
    ssh-copy-id user@remotehost

  17. Lri says:

    The first step was to create an RSA key pair, but the second step currently has `cat ~/.ssh/id_dsa.pub`.

    If the remote host doesn’t already have an .ssh directory, this should create it and the authorized_keys file with the correct permissions:

    `cat ~/.ssh/id_rsa.pub | ssh user@host.com “umask 0077; mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys”`

    The first zero in `umask 0077` means that it’s an octal number. 077 means that all permissions should be subtracted from group and other. (So created folders will have 700 and files 600 permissions by default.)

  18. abubasim says:

    The authorized_keys file should not be accessible by everyone, while the ~/.ssh directory can have execute permission for everyone so anyone can collect your public key files (*.pub). Make sure the authorized_keys and private key files are well protected.

    So better add umask:

    cat ~/.ssh/id_dsa.pub | ssh user@remotehost ‘umask 066; cat >> ~/.ssh/authorized_keys’

  19. Mert Emin says:

    You have a typo here “cat ~/.ssh/id_dsa.pub”. Plus, for ones who get “stdin: is not a tty” message, please check this out http://webhostingneeds.com/Git_stdin_is_not_a_tty

  20. jeff says:

    so useful, and pretty simple… but for more info
    http://www.afp548.com/netboot/mactips/rsync.html

    from bombich, carbon copy cloner author.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site