SSH and Secure Access with RSA certificate

1. Two linux systems
2. Someone who is fed up of constantly entering ssh username and password

There comes a time when you had enough of constantly entering your username and password:

user@server1:~/.ssh$ ssh user@
user@'s password:
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 09:52:10 2016 from

Luckily there is another way using RSA certs. Here is a quick way of setting it all up:
1. On you normal/daily workstation generate pair of certificates:

user@server1:~/.ssh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): [ENTER]
Enter passphrase (empty for no passphrase): yourpass_phrase [ENTER]
Enter same passphrase again: yourpass_phrase [ENTER]
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
da:fe:08:91:5f:63:89:8f:27:74:59:c1:19:d6:9f:2c user@server1
The key's randomart image is:
+--[ RSA 2048]----+
|           .++   |
|           .o..  |
|            . ...|
|       . . + E o.|
|      o S B   .  |
|       * * .     |
|      o = o      |
|       o +       |
|        o..      |

This will generate two files id_rsa and –> those are your private and public keys.

2. Copy your public key to the destination server

user@server1:~/.ssh$ ssh-copy-id user@
user@'s password: 
Now try logging into the machine, with "ssh 'user@'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

if you go to your destination server and check the ~/.ssh/authorized_keys you will find that it has exactly the same content as your key:

root@server2:/home/user/.ssh# ls -al
total 12
drwx------ 2 user user 4096 Apr 23 10:03 .
drwxr-xr-x 3 user user 4096 Apr 23 09:13 ..
-rw------- 1 user user  394 Apr 23 10:03 authorized_keys
root@server2:/home/user/.ssh# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyN1oh1L9dVBOGgb5QVSoJ4Cls/l+uCSjwUeH7Jr2NYyTz/0VeLQSDmvAOlyhy/S26KY8wT41z9coT+O8TDWo4F+Wvz1M27fYvscaAQO3cY5iIIEHTV0BpORDHTKvHd/YnP0CVitE65sbTssUGApG9iHyE/yTDpl+g7xe/9NwSxjPYSn2ZGxcG0vWkIUPLFProDK5VPSYo4FI27s5F+uqsWK60Ey+SuotPp6BDIKqe6jnNWjmxYbPnVWyU4Qb0DiQNWX1HmmaxehknnJM7NZWIIOzY8kSsTC8hdxcZu1IGHO6N9IDn+bQUUz7OSzfzPwDvadchScD3vzUuRdGq10d1 user@server1
user@server1:~/.ssh$ cat 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyN1oh1L9dVBOGgb5QVSoJ4Cls/l+uCSjwUeH7Jr2NYyTz/0VeLQSDmvAOlyhy/S26KY8wT41z9coT+O8TDWo4F+Wvz1M27fYvscaAQO3cY5iIIEHTV0BpORDHTKvHd/YnP0CVitE65sbTssUGApG9iHyE/yTDpl+g7xe/9NwSxjPYSn2ZGxcG0vWkIUPLFProDK5VPSYo4FI27s5F+uqsWK60Ey+SuotPp6BDIKqe6jnNWjmxYbPnVWyU4Qb0DiQNWX1HmmaxehknnJM7NZWIIOzY8kSsTC8hdxcZu1IGHO6N9IDn+bQUUz7OSzfzPwDvadchScD3vzUuRdGq10d1 user@server1

No to test that this bit is working fine:

user@server1:~/.ssh$ ssh user@
Enter passphrase for key '/home/user/.ssh/id_rsa': yourpass_phrase [ENTER]
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 09:52:56 2016 from

You can of course leave the passphrase empty and on this stage you are all done. However if you have set the passphrase do not despair as there is a way of telling your machine to remember it for you.

3. Using ssh-agent to remember the passphrase
ssh-agent is a program to hold private keys used for public key authentication
(RSA, DSA, ECDSA). The idea is that ssh-agent is started in the beginning of
an X-session or a login session, and all other windows or programs are started
as clients to the ssh-agent program. Through use of environment variables the
agent can be located and automatically used for authentication when logging in
to other machines using ssh(1).

I tend to add this line to .bashrc file under my user profile:
eval `ssh-agent -s`

then check that it is running:

user@server1:~$ ps aux | grep ssh-agent
user      6088  0.0  0.0  12480   332 ?        Ss   10:22   0:00 ssh-agent -s
user      6090  0.0  0.0   7812   608 pts/0    S+   10:22   0:00 grep ssh-agent

Now that the authentication agent is running last remaining thing to do is to add the private key identities to the agent:

user@server1:~$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa: yourpass_phrase [ENTER]
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

Now for the rest of the time that we remain log in to our normal/daily workstation passphrases that we might have setup on hundreds of servers will be forwarded so we no longer need to type them in. To verify/list the added fingerprints of all identities currently represented by the agent just run:

user@server1:~$ ssh-add -l
2048 da:fe:08:91:5f:63:89:8f:27:74:59:c1:19:d6:9f:2c /home/user/.ssh/id_rsa (RSA)
user@server1:~$ ssh user@
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 10:07:14 2016 from

if you are using the same username on both ends, you can skip the user name:

user@server1:~$ ssh
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 10:07:14 2016 from


If you get stuck and something isn’t working the way it should be connect using the verbose switch -v (or if you want to go nuts go extra verbose -vvv):

user@server1:~$ ssh -v
OpenSSH_6.0p1 Debian-4+deb7u4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u4
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc
debug1: Host '' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to ([]:22).
debug1: channel 0: new [client-session]
debug1: Requesting
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 10:34:20 2016 from