Password-less login via ssh (Mac)

Password less login on ssh (more secure since can only be done from one machine)

# Updated standard:
ssh-keygen -t ed25519 -C "identify device"

# If you have to use rsa use stronger key:
ssh-keygen -o -t rsa -b 4096 -C ""

ssh-keygen  # This generates the ssh private and public key for your local machine
# When prompted for passphrase, press enter to leave it blank.
cd ~./ssh && ls -al  # This should show you id_rsa and

ssh-copy-id username@remote_host

# if the top command doesn't work
cat ~/.ssh/ | ssh username@remote_host:port "cat >> ~/.ssh/authorized_keys"

Working with passphrases & ssh keys

# to set up a passphrase on a passphraseless key run:
ssh-keygen -p
# this will ask to enter the path to the keyfile

# or specify a keyfile directly
ssh-keygen -p -f ~/.ssh/id_ed25519

Then you enter your new password and your’re ready to go. Passwords only lock the key on that particular device, so if you have the same keyfile elsewhere, you WILL have to set the passphrase again on that machine.

If you don’t want to enter passphrases ?

# unlock keys and add to your ssh-agent
ssh-add ~/.ssh/id_ed25519

# To list keys that are already "active" in the ssh-agent i.e. unlocked
ssh-add -l

# To add key with a timeout 5 minutes = 300 seconds
ssh-add -t 300

# to remove a key run:
ssh-add -d ~/.ssh/id_ed25519

Only allow key based login via ssh on Mac OS

  • cd /etc/ssh and then backup the original sshd_config by running: cp sshd_config ~/Desktop/sshd_config.bak
  • Add your key to ~/.ssh/authorized_keys and make sure to set correct rwx permissions on the .ssh folder and the authorized_keys file by running:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  • Then edit the /etc/ssh/sshd_config (requires sudo access), to flip these parameters:
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

Then restart the ssh service:

sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd

Make sure to check from some machine that doesn’t have the authorized key to