How to SSH Using a Public Key Instead of Password

Setting Up SSH Key Authentication

When accessing remote systems using SSH, using RSA keys instead of passwords offers both convenience and security benefits. This approach is especially useful for automation tools like Ansible. This guide walks you through the process of setting up SSH key authentication.

Why Use SSH Keys?

• Convenience: No need to enter passwords for each connection
• Security: More secure than password authentication
• Automation: Essential for tools like Ansible, Jenkins, or scripts
• Time-saving: Faster access to frequently used systems

Step 1: Generate the Key Pair

First, create your public and private key pair. The private key stays on your client system, while the public key will be copied to target servers.

ssh-keygen -t rsa

Example output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/jonas/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/jonas/.ssh/id_rsa.
Your public key has been saved in /home/jonas/.ssh/id_rsa.pub.
The key fingerprint is:
68:1f:bd:d2:80:3e:ad:fa:f0:eb:c0:2f:a2:23:8d:5a jonas@nyx
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|        o .      |
|       + S .     |
|      . o o + .  |
|       oE + o + o|
|      +.o .= o . |
|     =o ..=B.    |
+-----------------+

Note: The passphrase is optional but recommended for security. If your private key is compromised, the passphrase provides an additional layer of protection.

Step 2: Copy the Public Key to the Remote System

Next, copy your public key to the remote server. You’ll need to enter your password this time, but it will be the last time.

scp ~/.ssh/id_rsa.pub username@remote_host:.ssh/authorized_keys

Example:

jonas@nyx:~$ scp ~/.ssh/id_rsa.pub 192.168.56.102:.ssh/authorized_keys
jonas@192.168.56.102's password: 
id_rsa.pub                                     100%  391     0.4KB/s   00:00

Alternative Methods

If the .ssh directory doesn’t exist on the remote server:

# Create the directory and set permissions
ssh username@remote_host "mkdir -p ~/.ssh && chmod 700 ~/.ssh"

# Copy the key
scp ~/.ssh/id_rsa.pub username@remote_host:.ssh/authorized_keys

# Set proper permissions
ssh username@remote_host "chmod 600 ~/.ssh/authorized_keys"

Or use the ssh-copy-id utility if available:

ssh-copy-id username@remote_host

Step 3: Verify the Setup

Test that you can now connect without a password:

# Try copying a file without entering a password
scp ~/.ssh/id_rsa.pub 192.168.56.102:.ssh/test_file

Example output:

id_rsa.pub                                     100%  391     0.4KB/s   00:00

Using SSH Keys with Ansible

With SSH keys set up, Ansible can connect to hosts without password prompts:

ansible -m ping all

Example output:

192.168.56.102 | success >> {
  "changed": false,
  "ping": "pong"
}

192.168.56.101 | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue

In this example, the first host (192.168.56.102) has SSH key authentication set up and works successfully, while the second host (192.168.56.101) still requires password authentication and fails.

Troubleshooting

If you encounter issues:

1. Check permissions: The .ssh directory should be 700 and authorized_keys file should be 600

   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/authorized_keys
   

2. Verify SSH configuration: Ensure PubkeyAuthentication yes is set in /etc/ssh/sshd_config

3. Debug connection issues:

   ssh -vvv username@remote_host
   

4. SELinux contexts: If using SELinux, check contexts:

   restorecon -R -v ~/.ssh