SSH Keys for Passwordless Logins
SSH keys are authentication credentials, which can take the place of login passwords.[1][2] Using SSH keys means you can avoid saving your Picotte password in various applications, e.g. VisualStudio Code or MobaXTerm.
N.B. If your Picotte account uses Multi-Factor Authentication, you will not be able to make use of SSH keys for passwordless logins.
Overview
SSH keys are a form of assymetric cryptography[3] used for the authentication process.
- The user generates a pair of keys: one private, and one public. Each key is just a text file. This key generation should use a non-empty passphrase for security. This passphrase is independent of the login password any remote systems that will be connected to via SSH.
- The user runs a background program called the SSH agent. (On Windows, the agent runs as an administrative service.)
- The user adds the private key (a.k.a. "identity") to the agent.
- The user adds the public key to the
authorized_keysfile on the remote system. In the case of Picotte, it will bepicotte001(==picottelogin). On Linux, the file is~/.ssh/authorized_keys- When the user tries to SSH to the remote system, the agent will pass an appropriate message to the remote system that authenticates the user, allowing a login.
Prerequisites
We strongly recommend the use of a password-saving app.
- On macOS, the Keychain Access app[4] is included with macOS.
- You can use the Microsoft Authenticator app, with a workaround. MS
Authenticator only accepts passwords with a website address. You can
use something like
https://mycomputer-SSH.example.comas a fake website address. - Or, use one the the available commercial applications. We suggest finding one which runs on multiple platforms, including phone operating systems (iOS or Android).
You will also need to already know how to edit a text file on Picotte.
General - Applies to all operating systems
You will need two terminal sessions:
- An SSH session connected to Picotte for part of this process (copying the public key).
- A terminal session on your PC; or PowerShell on Windows. (N.B. “PC” = “Personal Computer” which may be running Windows, macOS, or Linux. As opposed to Picotte, which is an impersonal computer.)
The following apply to SSH keys regardless of operating system (Windows, macOS, Linux, etc.).
- Generate key pair
- Send the a copy of the public key to
picotte001
Generate key pair
- Two (2) key files will be generated:
id_ed25519-- the private keyid_ed25519.pub-- the public key- Do NOT use a blank passphrase.
- Safeguard the private key. The private key must reside only
on the computer where it was generated. Do not copy or upload it
anywhere else.
- The private key must be readable only by the user to whom
the key belongs. On Linux and macOS, this means permissions
-rw-------
- The private key must be readable only by the user to whom
the key belongs. On Linux and macOS, this means permissions
Copy public key to picotte001
Copy the public key from your PC to picotte001 - enter your
Picotte password when prompted:
myname@mypc$ ssh-copy-id juser@picotte001.urcf.drexel.edu
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
(juser@picotte001.urcf.drexel.edu) Password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'juser@picotte001.urcf.drexel.edu'"
and check to make sure that only the key(s) you wanted were added.
If that does not work, you can do it manually. Copy the contents of the public key file to the file
~/.ssh/authorized_keys on picotte001
If you have more than one authorized key (for more than one computer), each key must be on its own line.
The contents of the public key on your PC can be shown with:
[prompt]$ cat .ssh/id_ed25519.pub
ssh-ed25519 bunch_of_random_characters myname@mycomputer
Copy the line of text "ssh-ed25519 ... myname@mycomputer" and paste it
into the authorized_keys file on picotte001.
Fix Permissions of Authorized Keys file
On Picotte, do:
[juser@picotte001 ~]$ chmod 600 ~/.ssh/authorized_keys
Set Up SSH Agent
The SSH Agent on your PC manages your private key and talks to the remote host (picotte001) when the remote host requests authentication credentials.
This setup differs for all 3 operating systems.
Add Private Key (aka Identity) to Agent
In order for the SSH Agent to forward your credential, you have to add your private key to the agent.
Test Login
Once you have copied your public key to Picotte, and added your private key to the ssh-agent on your computer, you should be able to SSH to Picotte without entering a password. This will also allow you to run your VisualStudio Code Remote Explorer sessions without entering the password multiple times, or saving the password in VS Code itself.
Linux
The instructions here are for Ubuntu 22.04 LTS. For other versions of Ubuntu, or other distributions, please consult appropriate documentation for that version of Linux. However, they should not differ since OpenSSH is used in almost every Linux distribution.
Everything here will be done in a terminal. Hit Ctrl-Alt-T to start a new terminal; or, launch the Terminal app from the Activities menu (by hitting the "Windows" key).
Generate key pair
[juser@mycomputer ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/juser/.ssh/id_ed25519):
Hit "Return" or "Enter" to accept the default.
Enter passphrase (empty for no passphrase):
Enter a strong passphrase. If you use a password saving app, it should
be able to generate a random password. Or, you can use the apg command
on picotte001:
[juser@mycomputer ~]$ apg -M NCS -m 16 -l
After entering your passphrase, the key pair will be generated.
ssh-keygen will output messages that look like:
Your identification has been saved in /home/juser/.ssh/id_ed25519.
Your public key has been saved in /home/juser/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:random_chars juser@mycomputer
The key's randomart image is:
+--[ED25519 256]--+
| ................|
...
+----[SHA256]-----+
The key pair is in two files:
id_ed25519- the private keyid_ed25519.pub- the public key
Copy public key to picotte001
See above.
Fix Permissions of Authorized Keys file
See above.
Add key to ssh-agent on your PC
On Ubuntu 22.04, this is done automatically once the keys are generated. The ssh-agent also runs automatically every time you logon, and it unlocks all keys in it.
Check the list of keys handled by the agent by doing:
[juser@mycomputer ~]$ ssh-add -l
256 SHA256:somerandomchars juser@mycomputer (ED25519)
macOS
Everything here will be done in a terminal. [https://support.apple.com/guide/terminal/open-or-quit-terminal-apd5265185d-f365-44cb-8b09-71a064a42125/mac#:~:text=On%20your%20Mac%2C%20do%20one,%2C%20then%20double%2Dclick%20Terminal. Run the Terminal app.]
Video walkthrough
A video walkthrough is available on Drexel Streams (Kaltura): https://1513041.mediaspace.kaltura.com/media/SSH%20Keys%20setup%20on%20macOS/1_3zpbsy98
Or public access via Office 365: https://drexel0-my.sharepoint.com/:v:/g/personal/dwc62_drexel_edu/EffHgA9kksFFlOQC5KBr_OYBryEmK76eNuHhjyvkISos9A?e=mGCqkO
Generate key pair
The procedure is identical to Linux. See above. The path to the key file will likely be different.
Copy public key to picotte001
See above.
Fix Permissions of Authorized Keys file
See above.
Add private key to ssh-agent
macOS can store SSH keys in its own keychain that unlocks every time you login to your Mac.
For macOS 12 Monterey:
~ % ssh-add --apple-use-keychain ~/.ssh/id_ed25519
For earlier versions of macOS:
$ ssh-add -K ~/.ssh/id_ed25519
This should unlock the SSH key every time you login to your Mac.
Check that the key has been added:
~ % ssh-add -l
256 SHA256:randomcharacters juser@mymac (ED25519)
In your login file (.zshrc or .bashrc) add the line:
ssh-add --apple-load-keychain
Windows
We will use PowerShell.[5] It should be installed by default in Windows 11. If it is not already installed, see the official documentation on installing PowerShell and Tips for Windows Users.
These instructions are tested on Windows 11, based on the official documentation.[6] There should little difference if using Windows 10.
All commands here are to be typed into the PowerShell terminal.
Video walkthrough
A video walkthrough is available on Drexel Streams (Kaltura): https://1513041.mediaspace.kaltura.com/media/SSH%20Keys%20setup%20on%20Windows/1_s1izuls9
Or public access via Office 365: https://drexel0-my.sharepoint.com/:v:/g/personal/dwc62_drexel_edu/EXx7LDY0aZVOkB6Vs5X3x2QBKuLaQUdvS_YaRN6Vm52EhA?e=7H2ZNs
Generate key pair
The procedure is identical to Linux. See
above. The path to the key file
should be C:\Users\username/.ssh/id_ed25519. Accept all defaults when
prompted.
Copy public key to picotte001
Windows' version of SSH does not provide a ssh-copy-id script/command.
You can type in this one-liner in the PowerShell terminal:
PS C:\Users\myname> type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh juser@picotte001.urcf.drexel.edu "cat >> .ssh/authorized_keys"
The “|” character (called “pipe” is typed with Shift-\).
Or do it manually:
PS C:\Users\myname> cat .ssh/id_ed25519.pub
(note the "." period in front of "ssh"; only the prompt will differ).
Copy and paste the displayed text to the end of the
.ssh/authorized_keys file on Picotte. It should look something like:
ssh-ed25519 AAA-somerandom-chars-... myname@MYPC
Fix Permissions of Authorized Keys file
See above.
Start SSH agent on login
You will need perform this step as an Administrator on your Windows computer. To do so, run PowerShell as Administrator. There will be a security pop-up window, asking to allow the application to make changes to Windows. Hit the "Yes" button, and allow.
First, view the status of the SSH agent service: it should be "Stopped".
PS C:\WINDOWS\system32> Get-Service ssh-agent
Status Name DisplayName
------ ---- -----------
Stopped ssh-agent OpenSSH Authentication Agent
Next, set it to start automatically, and start it:
PS C:\WINDOWS\system32> Get-Service ssh-agent | Set-Service -StartupType Automatic
PS C:\WINDOWS\system32> Start-Service ssh-agent
Check that the service is now running:
PS C:\WINDOWS\system32> Get-Service ssh-agent
Status Name DisplayName
------ ---- -----------
Running ssh-agent OpenSSH Authentication Agent
You can now quit this Administrator PowerShell by closing the window, or using the "exit" command.
Add private key to SSH agent
In the same PowerShell that you generated the key pair in, i.e. the non-Administrator PowerShell, add your private key to the agent:
PS C:\Users\myname> ssh-add
Enter passphrase for C:\Users\myname/.ssh/id_ed25519: (enter your passphrase here -- it will not show up on screen)
Identity added: C:\Users\myname/.ssh/id_ed25519 (myname@MYPC)
Check that the identity (private key) has been added:
PS C:\Users\myname> ssh-add -l
256 SHA256:random_characters myname@MYPC (ED25519)
(that is a lower case letter ell).
Check that you can login to picotte001 without needing to type in a
password:
PS C:\Users\myname> ssh juser@picotte001.urcf.drexel.edu
Other Notes
If you re-run the same process, you will generate a new key pair. The default behavior is for the new pair to overwrite the old.
See Also
References
[1] SSH Academy: Basic overview of SSH Keys
[2] :wikipedia:Secure Shell#Authentication: OpenSSH key management
[3] :wikipedia:Public-key cryptography
[4] Keychain Access User Guide for macOS Monterey
[5] Windows Commands Reference - PowerShell
[6] Microsoft Documentation - Key-based authentication in OpenSSH for Windows