Information on setting up passwordless SSH from one machine to another.
Background
Source Information Links
- https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md
- https://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent
- https://stackoverflow.com/questions/64043238/enter-pin-for-authenticator-issue-related-to-ssh
Summary
In fact, the Raspberrypi.org documentation gets you up and running with passwordless SSH.
However, when you create the certificate, if you specifiy a passphrase you still will need to authenticate with your passphrase on your side to allow use of the certificate in the connection. You can additionally store the passphrase in you ssh agent keychain such that you will not need to supply it when used.
A final caveat, if you are running this from the WSL under Windows, the ssh-agent is a service that when running will keep your VM alive which will manifest in the memory its using being held on to longer than perhaps is desired.
Implementation
Summarizing the steps from the RaspberryPi documentation (Source Information Link #1, above.)
Check for existing SSH keys
First, check whether there are already keys on the computer you are using to connect to the Raspberry Pi:
ls ~/.ssh
If you see files named id_rsa.pub or id_dsa.pub then you have keys set up already, so you can skip the ‘Generate new SSH keys’ step below.
Generate new SSH keys
To generate new SSH keys enter the following command:
ssh-keygen
Upon entering this command, you will be asked where to save the key. We suggest saving it in the default location (~/.ssh/id_rsa) by pressing Enter.
You will also be asked to enter a passphrase, which is optional. The passphrase is used to encrypt the private SSH key, so that if someone else copied the key, they could not impersonate you to gain access. If you choose to use a passphrase, type it here and press Enter, then type it again when prompted. Leave the field empty for no passphrase.
Now look inside your .ssh directory:
ls ~/.ssh
and you should see the files
id_rsa
andid_rsa.pub
:
authorized_keys id_rsa id_rsa.pub known_hosts
The
id_rsa
file is your private key. Keep this on your computer.The
id_rsa.pub
file is your public key. This is what you share with machines that you connect to: in this case your Raspberry Pi. When the machine you try to connect to matches up your public and private key, it will allow you to connect.Take a look at your public key to see what it looks like:
cat ~/.ssh/id_rsa.pub
It should be in the form:
ssh-rsa <REALLY LONG STRING OF RANDOM CHARACTERS> user@host
Copy your public key to your Raspberry Pi
Using the computer which you will be connecting from, append the public key to your
authorized_keys
file on the Raspberry Pi by sending it over SSH:
ssh-copy-id <USERNAME>@<IP-ADDRESS>
Note that for this step you will need to authenticate with your password.
Alternatively, if
ssh-copy-id
is not available on your system, you can copy the file manually over SSH:
cat ~/.ssh/id_rsa.pub | ssh <USERNAME>@<IP-ADDRESS> 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
If you see the message
ssh: connect to host <IP-ADDRESS> port 22: Connection refused
and you know theIP-ADDRESS
is correct, then you may not have enabled SSH on your Raspberry Pi. Runsudo raspi-config
in the Pi’s terminal window, enable SSH, then try to copy the files again.Now try
ssh <USER>@<IP-ADDRESS>
and you should connect without a password prompt.If you see a message "Agent admitted failure to sign using the key" then add your RSA or DSA identities to the authentication agent ssh-agent then execute the following command:
ssh-add
If this does not work, you can get assistance on the Raspberry Pi forums.
Note: you can also send files over SSH using the
scp
command (secure copy). See the SCP guide for more information.
Note: I ran into this issue and found some additional information on https://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent
The #1 rated answer solved my problem:
Did You Start ssh-agent?
You might need to start
ssh-agent
before you run thessh-add
command:
eval `ssh-agent -s`
ssh-add
Note that this will start the agent for msysgit Bash on Windows. If you’re using a different shell or operating system, you might need to use a variant of the command, such as those listed in the other answers.
See the following answers:
- ssh-add complains: Could not open a connection to your authentication agent
- Git push requires username and password (contains detailed instructions on how to use ssh-agent)
- How to run (git/ssh) authentication agent?.
- Could not open a connection to your authentication agent
To automatically start ssh-agent and allow a single instance to work in multiple console windows, see Start ssh-agent on login.
Why do we need to use eval instead of just ssh-agent?
To find out why, see Robin Green’s answer. Public vs Private Keys
Also, whenever I use ssh-add, I always add private keys to it. The file ~/.ssh/id_rsa.pub looks like a public key, I’m not sure if that will work. Do you have a ~/.ssh/id_rsa file? If you open it in a text editor, does it say it’s a private key?
Why do we need to use eval instead of just ssh-agent?
To find out why, see Robin Green’s answer.
Public vs Private Keys
Also, whenever I use
ssh-add
, I always add private keys to it. The file~/.ssh/id_rsa.pub
looks like a public key, I’m not sure if that will work. Do you have a~/.ssh/id_rsa file?
If you open it in a text editor, does it say it’s a private key?
Adjust permissions for your home and .ssh directories
If you can’t establish a connection after following the steps above there might be a problem with your directory permissions. First, you want to check the logs for any errors:
tail -f /var/log/secure
# might return:
Nov 23 12:31:26 raspberrypi sshd[9146]: Authentication refused: bad ownership or modes for directory /home/pi
If the log says
Authentication refused: bad ownership or modes for directory /home/pi
there is a permission problem regarding your home directory. SSH needs your home and~/.ssh
directory to not have group write access. You can adjust the permissions usingchmod
:
chmod g-w $HOME
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
Now only the user itself has access to
.ssh
and.ssh/
authorized_keys in which the public keys of your remote machines are stored.
Store the passphrase in the macOS keychain
If you are using macOS, and after verifying that your new key allows you to connect, you have the option of storing the passphrase for your key in the macOS keychain. This allows you to connect to your Raspberry Pi without entering the passphrase.
Run the following command to store it in your keychain:
ssh-add -K ~/.ssh/id_rsa
Note: If you run into an Enter PIN issue described in https://stackoverflow.com/questions/64043238/enter-pin-for-authenticator-issue-related-to-ssh
Not on macOS?
If you are not on macOS, ssh-add will likely not have a built in Keychain to store it to, at least that is the case for WSL on Windows, and according to the ssh-add(1) man page.
Simply remove the -K
argument:
ssh-add ~/.ssh/id_rsa