Date : 7th March 2026
Article by Tushar Sonawane , Nakshatra systems
================================================================================
CONFIGURING PASSWORDLESS SSH LOGIN (KEY-BASED AUTHENTICATION)
================================================================================
1. INTRODUCTION
--------------------------------------------------------------------------------
Secure Shell (SSH) is the standard protocol used for secure remote login and
administration of Linux systems. By default, SSH allows authentication using
passwords. However, password-based authentication introduces several security
risks including brute-force attacks, password reuse, and credential leakage.
A more secure and widely recommended approach is SSH key-based authentication,
also known as passwordless SSH login.
Instead of entering a password for every connection, SSH uses a cryptographic
key pair consisting of:
- A private key (kept securely on the client machine)
- A public key (stored on the remote server)
When a client attempts to connect, the SSH server verifies that the client
possesses the correct private key corresponding to the stored public key.
If verification succeeds, the user is authenticated without requiring a password.
--------------------------------------------------------------------------------
2. BENEFITS OF SSH KEY-BASED AUTHENTICATION
--------------------------------------------------------------------------------
Using SSH keys instead of passwords provides several security and operational
advantages:
- Strong cryptographic authentication
- Protection against brute-force password attacks
- Elimination of password transmission over the network
- Secure automation for scripts, backups, and deployments
- Faster login without repeated password prompts
- Easier integration with configuration management tools
Key-based authentication is the standard practice in production Linux
environments, cloud infrastructure, and automated deployment pipelines.
--------------------------------------------------------------------------------
3. SSH KEY TYPES
--------------------------------------------------------------------------------
SSH supports multiple cryptographic key algorithms.
Commonly used SSH key types include:
1. RSA
Widely supported and compatible with older systems.
2. ED25519
Modern, faster, and more secure than RSA.
Recommended for most new deployments.
3. ECDSA
Elliptic curve based algorithm supported by OpenSSH.
Recommended Key Type:
ED25519 is generally preferred due to its strong security and smaller key size.
Example key generation formats:
- RSA key
- ED25519 key
--------------------------------------------------------------------------------
4. PREREQUISITES
--------------------------------------------------------------------------------
Before configuring passwordless SSH login, ensure:
- SSH server (sshd) is installed on the target system
- SSH service is running
- Network connectivity exists between client and server
- User accounts exist on both systems
Verify SSH service status:
ps aux | grep sshd
Start SSH service if required:
/etc/rc.d/rc.sshd start
Enable SSH service at boot (if not already enabled):
chmod +x /etc/rc.d/rc.sshd
--------------------------------------------------------------------------------
5. GENERATING AN SSH KEY PAIR
--------------------------------------------------------------------------------
SSH key pairs must be generated on the CLIENT system.
Run the following command:
ssh-keygen -t rsa
You will be prompted for the following options:
Enter file in which to save the key
Press Enter to accept the default location.
Default key location:
~/.ssh/id_rsa
You may optionally protect the private key with a passphrase for additional
security.
Example output files created:
Private key:
~/.ssh/id_rsa
Public key:
~/.ssh/id_rsa.pub
If generating a modern ED25519 key instead:
ssh-keygen -t ed25519
This produces:
~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub
IMPORTANT:
Never share your private key.
--------------------------------------------------------------------------------
6. COPYING THE PUBLIC KEY TO THE SERVER
--------------------------------------------------------------------------------
The public key must be installed on the target SSH server.
The simplest method is using:
ssh-copy-id
Example:
ssh-copy-id username@server-ip-address
Example:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@192.168.1.10
This command automatically:
- Connects to the server
- Creates the ~/.ssh directory if needed
- Appends the public key to authorized_keys
- Sets proper permissions
After this step, the server recognizes the client’s key.
--------------------------------------------------------------------------------
7. MANUAL PUBLIC KEY INSTALLATION (ALTERNATIVE METHOD)
--------------------------------------------------------------------------------
If ssh-copy-id is not available, the key can be installed manually.
Step 1: Display the public key on the client
cat ~/.ssh/id_rsa.pub
Step 2: Copy the entire output.
Step 3: Log into the server using password authentication.
Step 4: Create the SSH directory if it does not exist
mkdir -p ~/.ssh
Step 5: Open the authorized_keys file
vi ~/.ssh/authorized_keys
Paste the public key on a new line.
Save the file.
--------------------------------------------------------------------------------
8. SETTING CORRECT PERMISSIONS
--------------------------------------------------------------------------------
SSH enforces strict permission rules for security reasons.
Set the following permissions on the server:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Ensure the user home directory is accessible:
chmod 755 ~
Incorrect permissions will cause SSH key authentication to fail.
--------------------------------------------------------------------------------
9. TESTING PASSWORDLESS SSH LOGIN
--------------------------------------------------------------------------------
From the client system, attempt to connect:
ssh username@server-ip
Example:
ssh user@192.168.1.10
If configured correctly:
- SSH will authenticate using the private key
- No password prompt will appear
- Login will occur immediately
--------------------------------------------------------------------------------
10. HARDENING SSH SECURITY (RECOMMENDED)
--------------------------------------------------------------------------------
Once key-based authentication is confirmed working, password authentication
should be disabled to strengthen security.
Edit the SSH server configuration:
vi /etc/ssh/sshd_config
Locate or modify the following directives:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Disable password authentication:
PasswordAuthentication no
To prevent root login:
PermitRootLogin no
Save the configuration file.
Restart the SSH service:
/etc/rc.d/rc.sshd restart
--------------------------------------------------------------------------------
11. MANAGING KNOWN HOSTS
--------------------------------------------------------------------------------
When connecting to a server for the first time, SSH stores the server’s
fingerprint in the known_hosts file.
Location:
~/.ssh/known_hosts
If the server is reinstalled or its key changes, you may see a warning.
To remove an outdated entry:
ssh-keygen -R ip-address
Example:
ssh-keygen -R 192.168.1.10
To remove all stored fingerprints:
rm ~/.ssh/known_hosts
--------------------------------------------------------------------------------
12. TROUBLESHOOTING
--------------------------------------------------------------------------------
Problem: SSH still asks for a password
Check:
- Public key exists in ~/.ssh/authorized_keys
- Correct permissions are set
- SSH service restarted
- Correct username used
Problem: Permission denied (publickey)
Check:
- File permissions
- Correct key type
- Correct authorized_keys content
--------------------------------------------------------------------------------
13. CONCLUSION
--------------------------------------------------------------------------------
SSH key-based authentication significantly improves both security and usability
when accessing remote Linux systems.
By replacing passwords with cryptographic authentication, administrators can:
- Prevent brute-force login attempts
- Secure automated operations
- Simplify remote access workflows
This method is strongly recommended for all production systems and secure
infrastructure environments.
--------------------------------------------------------------------------------