We often use ssh-copy-id
to copy ssh keys from our local Linux computers to RHEL servers in order to connect without typing in a password. This is not only for convenience; it enables you to script and automate tasks that involve remote machines. Also, using ssh keys correctly is considered a best practice. If you are conditioned to respond with your password every time you are prompted, you might not notice a prompt that isn't legitimate (for example, spoofed).
What about when you can't use ssh-copy-id
or the target user ID doesn't have a password (for example, an Ansible service user)? This article explains how to do it manually and avoid the common pitfall of forgetting to set the proper permissions.
Usually, you'd do this:
ssh-keygen ... ssh-copy-id USER@IP
However, when ssh-copy-id
is not available for use, you can do the following. This includes the steps to set the proper permissions. If permissions and/or ownership of the .ssh
directory and files are incorrect, it will still ask you for the password. This can be difficult to diagnose if you don't have root access to check the logs.
On your local machine, do this:
$ ssh-keygen $ cat ~/.ssh/id_rsa.pub ssh-rsa ... stuff ... user@domain
Now copy the line from ssh-rsa
to your user@domain so that's it is on the clipboard, or put it on a USB stick, or write it onto paper and send it via a delivery pigeon. This is your public key that needs to be added to ~/.ssh/authorized_keys
on the remote server.
On the remote server, do this:
$ mkdir ~/.ssh/ $ chmod 700 ~/.ssh # this is important. $ touch ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys #this is important.
On the remote system, edit ~/.ssh/authorized_keys
and append the output of the cat
command above.
Now you should be able to connect from your computer to the remote system. No restarts are necessary.
For more details, see How to setup SSH passwordless login in Red Hat Enterprise Linux on the Red Hat Customer Portal. Keep in mind that when you join the Red Hat Developer Program, a no-cost developer subscription is automatically added to your account. Using your Red Hat ID, you'll have access to the articles and knowledgebase on access.redhat.com. The developer subscription period is one year. However, all you have to do in order to renew is log in to developers.redhat.com again.
On a related note, if you need help getting sudo
set up so you don't have to type the root password, see How to enable sudo on Red Hat Enterprise Linux.
Happy ssh'ing.
Last updated: November 1, 2018