Igor Bubelov About Blog Photos

Setting Up SSH Passwordless Auth

June 23, 2021

There are many ways to access remote servers, but the most popular is Secure Shell Protocol (SSH). All popular operating systems ship with an SSH client and server packages installed by default, which means you can connect to other computers as well as to allow them to use your machine. That’s cool, but also a bit concerning: how can we make sure only the right people can access our computers?

There are many ways to authorize via SSH, but the most popular are password auth and key-based auth. Among those two methods, key-based auth is preferable because it’s much harder to guess an average cryptographic key than the average password. You can use SSH to generate so-called public-private key pair. After that, you can copy your public key to a machine you want to access remotely and place it in authorized_keys directory. After that, you can go ahead and connect to that computer without typing any passwords. This method is both convenient and secure.

Let’s say we generated a key pair already, how do we copy our public key to a remote host? Looks like a chicken and egg problem. Many VPS providers solve this problem by asking for your public key before creating your first server, so they can add it to authorized_keys every time they bring up a fresh server for you. Another way to set up key-based auth is to start with password auth and then use a program called ssh-copy-id. It will attempt normal password auth and, once you type your password, it will add your public key to authorized_keys directory on the remote host. In other words, this program “pushes” your public key to a remote server. The downside? You have to enable less secure password auth first and then manually turn it off.

I’ve been happily using ssh-copy-id for years, but this mouth, I’ve found out that it’s also possible to “pull” my public key without setting up password auth. It’s especially useful when I have physical access to a new machine, and I want to be able to connect to it remotely from my main computer at a latter stage. How is it possible to pull a public key from a machine which might be out of reach? Even if it’s reachable, it won’t give any files to an unrecognized client. We have a chicken and egg problem again. Well, pretty much everyone uses GitHub, and it will happily give you public keys of any user. Public keys aren’t secret, so there is no reason to hide them anyway. The tool that can pull public keys of any GitHub user is called ssh-import-id and it’s installed by default on most Linux distributions.