# Password less ssh ## How does password-less SSH works SSH (or SFTP, 'scp') can be used in a password-less mode, where authentication is used between client and server. When password-less mode is configured, a given user on a given client server can connect through SSH to a given server without explicitly providing the password, because server has a way (through private/public key) to authenticate the client (validate that "you are who you say you are"). ### How private/public keys work Public/private key pairs work like this: * Data that is encrypted with one of these keys can only be decrypted with the other (and vice versa) * Private key is never given to anyone, used only by the owner of that key to encrypt data that it sends * Public key is sent to anyone that needs to receive data from that owner * Successfully decrypting data using the public key authenticates that this data was in fact send by the owner, and no one else ### Using private/public keys with SSH * A private/public key pair is generated, by a given user, on the client host * The private key is kept secret on the client host (with great care, in the user's home folder) * The public key is sent to the server host, in the home folder of the user account on the server * When SSH session is established * The private key is used by client host * The server uses the public key to authenticate the client (be sure that the client is who he pretends to be), and allows login ## Is it secure? Password-less SSH is known to be secure, as long as the client's private key remains private. It it thus extremely important to keep the private key file securely on the client server, in the home directory of the user that uses it (\~/.ssh/) and without any read or write permission to anyone but the owner. ## How to setup password-less SSH login Password-less SSH login is configured with the following steps: * On the client host: * Login using the user account to setup password-less SSH for * Create the private/public key pair using the command *ssh-keygen -t rsa* * Do not enter a passphrase * On the server host: * Login using the user account that will be used for these SSH password-less connections * Add the public key to the "authorized\_keys2" file For example: * Generate the private/public key pair: ``` ssh-keygen -t rsa ``` The command output should look like this: ``` Generating public/private rsa key pair. Enter file in which to save the key (/home/my_client_user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/my_client_user/.ssh/id_rsa. Your public key has been saved in /home/my_client_user/.ssh/id_rsa.pub. The key fingerprint is: 01:23:45:67:89:01:23:45:67:89:01:23:45:67:89:01 my_client_user@my_client_host ``` * Upload the public key to the server (here we use a remote SSH command to append to authorized\_keys2 file on the server): ``` cat /home/my_client_user/.ssh/id_rsa.pub | ssh my_server_host -l my_server_user 'sh -c "cat - >>~/.ssh/authorized_keys2"' ``` Then you'll be prompted for the password (obviously, since password-less SSH is not yet setup!) ``` my_server_user@my_server_host's password: ``` We can also use this command to push the public key from the client host (instead of the previous command cat and ssh): ``` ssh-copy-id my_server_user@my_server_host ``` Now you can try to connect to the remote server without a password: ``` ssh -i ~/.ssh/id_rsa user@remote-server ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://prosbcdocs.telcobridges.com/troubleshooting-and-support/troubleshooting-tips-and-actions/tbsigtrace-signaling-trace-capture-tool/accessing-device/password-less-ssh.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.