Password-less login via ssh (Mac)
Password less login on ssh (more secure since can only be done from one machine)
# Updated standard: ssh-keygen -t ed25519 -C "identify device" # If you have to use rsa use stronger key: ssh-keygen -o -t rsa -b 4096 -C "firstname.lastname@example.org" ssh-keygen # This generates the ssh private and public key for your local machine # When prompted for passphrase, press enter to leave it blank. cd ~./ssh && ls -al # This should show you id_rsa and id_rsa.pub ssh-copy-id username@remote_host # if the top command doesn't work cat ~/.ssh/id_rsa.pub | ssh username@remote_host:port "cat >> ~/.ssh/authorized_keys"
Working with passphrases & ssh keys
# to set up a passphrase on a passphraseless key run: ssh-keygen -p # this will ask to enter the path to the keyfile # or specify a keyfile directly ssh-keygen -p -f ~/.ssh/id_ed25519
Then you enter your new password and your’re ready to go. Passwords only lock the key on that particular device, so if you have the same keyfile elsewhere, you WILL have to set the passphrase again on that machine.
If you don’t want to enter passphrases ?
# unlock keys and add to your ssh-agent ssh-add ~/.ssh/id_ed25519 # To list keys that are already "active" in the ssh-agent i.e. unlocked ssh-add -l # To add key with a timeout 5 minutes = 300 seconds ssh-add -t 300 # to remove a key run: ssh-add -d ~/.ssh/id_ed25519
Only allow key based login via ssh on Mac OS
cd /etc/sshand then backup the original sshd_config by running:
cp sshd_config ~/Desktop/sshd_config.bak
- Add your key to
~/.ssh/authorized_keysand make sure to set correct
rwxpermissions on the
.sshfolder and the
authorized_keysfile by running:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
- Then edit the
/etc/ssh/sshd_config(requires sudo access), to flip these parameters:
PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no
Then restart the ssh service:
sudo launchctl stop com.openssh.sshd sudo launchctl start com.openssh.sshd
Make sure to check from some machine that doesn’t have the authorized key to