Setting up Passwordless SSH-key

You use the tool “ssh-keygen” to create your public-private key pair. Here is an example session showing how you can run ssh-keygen:

[user@host ~]$ ssh-keygen -t ed25519 -C "Add a Description to easily tell which machine this belongs to"
Generating public/private key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): [Enter to leave default]
Enter passphrase (empty for no passphrase): [Enter to leave empty]
Enter same passphrase: [Enter to leave empty]

You should leave the default values above by simply hitting Enter three times. The private key is created in id_ed25519 and the matching public key is id_ed25519.pub. The id_ed25519 file name is what ssh will look for when attempting public-key authentication (unless specified differently using the IdentityFile variable in the global config file /etc/ssh/ssh_config or your local config file ~/.ssh/config).

The *.pub file needs to be appended to the ~/.ssh/authorized_keys file to be recognized by ssh. This should be done on any remote hosts you wish to connect to using public-key authorization. Each key in this file needs to be added on its own line and the file needs to have specific permissions and ownership in order to be recognized:

• owner: the user whose home directory it resides in
• permissions: 0600, writable by the owner and no one else

There are different ways to distribute and set up the authorized_keys file depending on your situation:

You can always ask for help from socit@uci.edu and we'll work with you to get your public key set up.

If you want to DIY, you can try one of the methods below:

If you have access to the console of the remote host (i.e. you can physically access the console in-person), then you can set up the authorized_keys file like this (note that this does not require admin/sudo privileges):

1. Generate your SSH key on your computer that you will use to access the remote host using ssh-keygen as described above
2. Save the .pub key file either in email to yourself or on a USB drive
3. On the local console of the remote host, login as your user account:
   1. Copy the contents of the new public key (either from email or a USB drive) to a temp file:

      TMP_NEWKEY_FILE=/tmp/newkey.pub
      echo "ssh-ed25519 AAAAasdfghjklQWERTYPOIUzxcvbnm/00/PLokIJuhYG12345 this is a comment" > $TMP_NEWKEY_FILE

   2. Set up your ~/.ssh directory and authorized_keys file with correct permissions. This is safe to do even if they already exist and will not erase or overwrite existing keys:

      mkdir -p ~/.ssh
      touch ~/.ssh/authorized_keys
      chmod 700 ~/.ssh
      chmod 600 ~/.ssh/authorized_keys

   3. Append your new public key:

      cat $TMP_NEWKEY_FILE >> ~/.ssh/authorized)_keys

   4. Delete the temp file:

      rm $TMP_NEWKEY_FILE

If you can log in to the remote host using a password, then you can use the command ssh-copy-id to set up your public key. Here is an example session showing how ssh-copy-id works:

[user@localhost ~]$ ssh-copy-id user@remotehost
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/username/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@remotehosts's password: 

Number of key(s) added:        1

Now try logging into the machine, with: "ssh 'user@remotehost'"
and check to make sure that only the key(s) you wanted were added.

If ssh-copy-id does not work or is not available, then you can manually accomplish the same steps like this:

# Your pub key's filename may differ depending on whether it was ed25519 (id_ed25519.pub), rsa (id_rsa.pub) or dsa (id_dsa.pub)
[user@localhost ~]$ scp ~/.ssh/id_ed25519.pub user@remotehost:/home/user/.ssh/my_id.pub
Enter password for user@remotehost:
[user@localhost ~]$ ssh user@remotehost
Enter Password
[user@remotehost ~]$ cd .ssh
[user@remotehost .ssh]$ cat my_id.pub >> authorized_keys
[user@remotehost .ssh]$ chmod 600 authorized_keys
[user@remotehost .ssh]$ rm my_id.pub

If password authentication is already disabled, then you will have to give your public key file to someone with admin access who already has public key authentication set up, or follow the above instructions for local console access to set it up yourself.

If you have admin access and have been asked to add someone else's public key to their user account, the following example code should guide you on the steps to take. This assumes that they have somehow given you their public key and it is stored in a file called /tmp/newkey.pub and their username is “example”. Modify these variables appropriately to meet your needs:

USERNAME=example
TMP_PUBKEY_FILE="/tmp/newkey.pub"
USER_HOME=$(eval echo "~$USERNAME")
AUTHKEY_FILE="$USER_HOME/.ssh/authorized_keys"
 
# Ensure .ssh exists
sudo mkdir -p "$USER_HOME/.ssh"
sudo touch "$AUTHKEY_FILE"
 
# Append key if not already present
if ! sudo grep -Fxq -f "$TMP_PUBKEY_FILE" "$AUTHKEY_FILE"; then
  cat "$TMP_PUBKEY_FILE" | sudo tee -a "$AUTHKEY_FILE" > /dev/null
fi
 
# Set permissions
sudo chmod 700 "$USER_HOME/.ssh"
sudo chmod 600 "$AUTHKEY_FILE"
sudo chown -R "$USERNAME" "$USER_HOME/.ssh"
 
# Clean up temp file
rm -f "$TMP_PUBKEY_FILE"