How to Set Up Passwordless SSH for Secure Access to Your VPS

J.A. ShezanJ.A. Shezan
10 min read

Table of contents

Tired of typing your VPS password every time you connect via SSH? Setting up a passwordless connection using SSH keys is a more secure and convenient way to access your remote Linux server. This guide will walk you through the process step-by-step, whether you're on Ubuntu, Windows, or macOS.

Prerequisites

  • Your Host Computer: Can be Ubuntu, Windows, or macOS.

  • Remote VPS: A Linux server.

  • Credentials: You'll need the username and current password for your VPS to set this up.

  • SSH Client (Host):

    • Ubuntu/macOS: OpenSSH is usually pre-installed. You can check by opening a terminal and typing ssh.

    • Windows: Modern Windows 10/11 includes OpenSSH. You can enable it or use a third-party client like PuTTY (this guide focuses on OpenSSH).

  • SSH Server (VPS): Your Linux VPS should have an OpenSSH server running, which is standard.

How it Works: The Magic of SSH Keys โœจ

Instead of a password, SSH key authentication uses a pair of cryptographic keys:

  • Private Key: Stays securely on your host computer. Never share this!

  • Public Key: You'll copy this to your remote VPS.

When you try to connect, your SSH client and the server perform a handshake. The server uses the public key to issue a challenge that only your private key can correctly answer. If successful, you're in โ€“ no password needed!

Step 1: Generate SSH Keys on Your Host Computer

This process creates your private and public key pair. If you already have SSH keys (e.g., for GitHub/GitLab), you can often reuse them. However, it's good practice to use separate keys for different services or decide if your existing key is secure enough for server access.

Instructions for your Host OS:

A. Ubuntu or macOS (and Windows with OpenSSH Client)

  1. Open your Terminal:

    • Ubuntu: Press Ctrl+Alt+T.

    • macOS: Open Terminal.app (from Applications > Utilities).

    • Windows (OpenSSH): Open PowerShell or Command Prompt and type ssh. If it's recognized, proceed. If not, ensure the OpenSSH client feature is enabled in Windows settings or use WSL.

  2. Generate the SSH Key Pair:

    Run the following command:

     ssh-keygen -t rsa -b 4096

    • -t rsa: Specifies the RSA algorithm (widely compatible and secure).

    • -b 4096: Specifies a key length of 4096 bits (very secure).

  3. Follow the Prompts:

    • "Enter file in which to save the key...":

      • If you have NO existing keys or want to overwrite: Press Enter to accept the default location (e.g., /home/your_username/.ssh/id_rsa on Linux/macOS, C:\Users\YourUsername\.ssh\id_rsa on Windows).

      • If you HAVE existing keys and want a NEW, SEPARATE key: Provide a different filename, for example: /home/your_username/.ssh/id_rsa_vps or C:\Users\YourUsername\.ssh\id_rsa_vps.

    • "Enter passphrase (empty for no passphrase):":

      • For true passwordless login: Press Enter (leave it empty). This is convenient but means anyone with access to your private key file can log in.

      • For added security (recommended): Enter a strong passphrase. You'll be prompted for this passphrase once per session when using the key, or you can use an SSH agent to remember it. This guide aims for "passwordless" server login, so we'll assume empty for now, but be aware of the security implication. Press Enter again to confirm.

You'll see output confirming the key generation, including the location of your public and private keys.

    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/yourusername/.ssh/id_rsa
    Your public key has been saved in /home/yourusername/.ssh/id_rsa.pub
    The key fingerprint is:
    SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yourusername@yourhost
    The key's randomart image is:
    +---[RSA 4096]----+
    |        ..       |
    |       .  .      |
    |      .    .     |
    | . . . o .. .    |
    |. . oo..S .  .   |
    | . .o.+o  . E    |
    |  . ooo= . .     |
    |   .o+=+o .      |
    |    .=B*Bo.      |
    +----[SHA256]-----+

B. Windows with PuTTY (Alternative if not using OpenSSH)

If you prefer PuTTY:

  1. Download and Run PuTTYgen: Get it from the official PuTTY website.

  2. Generate Keys:

    • Click the "Generate" button.

    • Move your mouse randomly over the blank area as instructed to generate randomness.

    • Once generated, you'll see the public key.

    • Optionally, enter a "Key passphrase" and confirm it for added security. For passwordless, leave it blank.

    • Click "Save private key" (e.g., id_rsa.ppk). Store this securely!

    • Copy the public key text from the "Public key for pasting into OpenSSH authorized_keys file" box. You'll need this for Step 2.

Step 2: Copy Your Public Key to the Remote VPS

Now, you need to place the public key you generated into a special file on your Linux VPS.

This command automatically appends your public key to the correct file on the VPS and sets the right permissions.

  1. Open your Terminal (or PowerShell/CMD for Windows OpenSSH).

  2. Run the command:

    Replace vps_user with your username on the VPS and your_vps_ip_or_hostname with the VPS's IP address or hostname.

    • If you used the default key name (id_rsa):

        ssh-copy-id vps_user@your_vps_ip_or_hostname

    • If you used a custom key name (e.g., id_rsa_vps):

        ssh-copy-id -i ~/.ssh/id_rsa_vps.pub vps_user@your_vps_ip_or_hostname

      (Adjust the path ~/.ssh/id_rsa_vps.pub if you saved it elsewhere or used a different name on Windows, e.g., -i C:\Users\YourUsername\.ssh\id_rsa_vps.pub).

  3. Enter Your VPS Password: You'll be prompted for your VPS user's password one last time.

     /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
 /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
 vps_user@your_vps_ip_or_hostname's password:

  4. Done! The key should now be installed.

Method 2: Manual Copy (If ssh-copy-id is not available or for PuTTY users)

  1. Get Your Public Key Content:

    • OpenSSH (Linux/macOS/Windows): Display your public key in the terminal.

      • Default key:

          cat ~/.ssh/id_rsa.pub

      • Custom key (e.g., id_rsa_vps):

          cat ~/.ssh/id_rsa_vps.pub

Copy the entire output (it starts with ssh-rsa or ecdsa-sha2-nistp256, etc., and ends with your username@host).

  • PuTTY: You should have copied this from PuTTYgen in Step 1B.

  1. SSH into your VPS using your password:

     ssh vps_user@your_vps_ip_or_hostname

    Enter your password when prompted.

  2. On the VPS, create the .ssh directory and authorized_keys file (if they don't exist):

     mkdir -p ~/.ssh
 chmod 700 ~/.ssh
 touch ~/.ssh/authorized_keys
 chmod 600 ~/.ssh/authorized_keys

    • mkdir -p ~/.ssh: Creates the .ssh directory if it doesn't exist.

    • chmod 700 ~/.ssh: Sets permissions for the directory (only owner can read, write, execute).

    • touch ~/.ssh/authorized_keys: Creates the file where public keys are stored.

    • chmod 600 ~/.ssh/authorized_keys: Sets permissions for the file (only owner can read, write). These permissions are crucial!

  3. Open authorized_keys with a text editor (like nano):

     nano ~/.ssh/authorized_keys

  4. Paste Your Public Key: Paste the public key you copied in step 2.1 into a new line in the authorized_keys file. Ensure it's all one line.

  5. Save and Exit:

    • In nano: Press Ctrl+X, then Y to confirm, then Enter to save.

  6. Log out of the VPS:

     exit

Step 3: Test Your Passwordless Connection

Now, try to SSH into your VPS from your host machine:

ssh vps_user@your_vps_ip_or_hostname

  • If you used a custom key name AND your SSH client doesn't automatically find it: You might need to specify the private key using the -i flag:

      ssh -i ~/.ssh/id_rsa_vps vps_user@your_vps_ip_or_hostname

    (Adjust the path ~/.ssh/id_rsa_vps as needed).

If everything is set up correctly, you should be logged into your VPS without being asked for a password! ๐ŸŽ‰

If you used a passphrase for your key: You will be prompted for that passphrase. To avoid typing it repeatedly, you can use an SSH agent (see Bonus section).

If you set a passphrase on your private key (good for security!), an SSH agent can cache the decrypted key after you enter the passphrase once, so you don't have to type it for every connection during your session.

A. Ubuntu & macOS

The SSH agent usually starts automatically.

  1. Add your private key to the agent:

    • Default key:

        ssh-add ~/.ssh/id_rsa

    • Custom key:

        ssh-add ~/.ssh/id_rsa_vps

You'll be prompted for your key's passphrase if it has one. Now, you won't need to enter it again for new SSH connections in the same terminal session (or until you log out/reboot, depending on your setup).

B. Windows (OpenSSH)

  1. Check if the SSH Agent service is running:

    Open PowerShell as Administrator and run:

     Get-Service ssh-agent

    If Status is Stopped, start it and set it to start automatically:

     Set-Service -Name ssh-agent -StartupType Automatic
 Start-Service ssh-agent

  2. Add your private key to the agent (in PowerShell or CMD):

    • Default key:

        ssh-add $env:USERPROFILE\.ssh\id_rsa

    • Custom key:

        ssh-add $env:USERPROFILE\.ssh\id_rsa_vps

Enter your key's passphrase if prompted.

C. Windows (PuTTY with Pageant)

PuTTY comes with an agent called Pageant.

  1. Run Pageant. It will appear as an icon in your system tray.

  2. Right-click the Pageant icon and select "Add Key".

  3. Browse to your .ppk private key file, select it, and enter its passphrase if you set one. Pageant will now handle authentication for PuTTY sessions.

Once you've confirmed passwordless SSH login is working, you can (and should) disable password authentication on your VPS to make it even more secure. This prevents brute-force password attacks.

โš ๏ธ IMPORTANT: Ensure your key-based login is working perfectly before disabling password authentication. Otherwise, you could lock yourself out!

  1. SSH into your VPS.

  2. Edit the SSH daemon configuration file:

     sudo nano /etc/ssh/sshd_config

  3. Find and modify the following lines:

    • PasswordAuthentication: Change this to no. (Uncomment it by removing the # if it's commented out).

        PasswordAuthentication no

    • PubkeyAuthentication: Ensure this is set to yes (it usually is by default).

        PubkeyAuthentication yes

    • ChallengeResponseAuthentication: It's also a good idea to set this to no.

        ChallengeResponseAuthentication no

  4. Save and Exit: (Ctrl+X, then Y, then Enter in nano).

  5. Restart the SSH service to apply changes:

    The command might vary slightly depending on your Linux distribution:

     sudo systemctl restart sshd

    or

     sudo systemctl restart ssh

    or

     sudo service ssh restart

  6. Test Again: Open a new terminal window on your host and try to SSH into your VPS. It should connect without a password. Try SSHing with a command that would force password auth (e.g., ssh -o PreferredAuthentications=password vps_user@your_vps_ip_or_hostname) to confirm password login is indeed disabled.

Troubleshooting Tips ๐Ÿ”

  • Permission Denied (Publickey):

    • Permissions on VPS: Double-check the permissions on your VPS:

      • ~/.ssh directory should be 700 (drwx------).

      • ~/.ssh/authorized_keys file should be 600 (-rw-------).

      • Your home directory (~) on the VPS should not be world-writable (e.g., 755 or rwxr-xr-x is fine). Use ls -ld ~/.ssh ~/.ssh/authorized_keys ~ on the VPS to check. Use chmod to fix them as shown in Step 2, Method 2.

    • Key Copied Correctly: Ensure the entire public key was copied correctly into ~/.ssh/authorized_keys without any extra line breaks or missing characters.

    • Correct Private Key: If you have multiple keys, ensure your SSH client is trying to use the correct private key. Use ssh -v vps_user@your_vps_ip_or_hostname for verbose output, which can show which keys it's attempting. Use the -i flag to specify a key if needed.

  • Still Asking for Password:

    • The public key might not be in ~/.ssh/authorized_keys on the VPS, or permissions are wrong.

    • The SSH server on the VPS might not be configured to allow public key authentication (PubkeyAuthentication yes in /etc/ssh/sshd_config).

    • The SSH service on the VPS wasn't restarted after config changes.

  • ssh-add "Could not open a connection to your authentication agent.":

    • The SSH agent isn't running. See Step 4 for how to start it.

  • Windows File Paths: Remember that Windows paths use backslashes (\) and the home directory equivalent is often $env:USERPROFILE\.ssh in PowerShell or C:\Users\YourUsername\.ssh in general.

By following these steps, you'll have a streamlined and secure way to access your Linux VPS! Happy connecting!

0
Subscribe to my newsletter

Read articles from J.A. Shezan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Linuxvpsvps serverVPS Hostingsshssh-keygenWindows

Written by

J.A. Shezan
J.A. Shezan

Shezan loves technology who is currently studying Computer Science and Engineering. He codes frontend & backend of a website. He also does penetration testing on web apps.