Password-less Logins over SSH on Ubuntu Server
With automation and scheduled tasks, it is sometimes necessary to allow a process to run unattended, including processes that require some kind of authentication. Nobody wants to put a password in a script or commit some authentication to a file that can otherwise be read by others.
In this post you will setup a password-less, but secure, connection between two Ubuntu servers for a scheduled script to run, as an example.
0 . Latest updates and prerequisites.
2025.09.16 – Updated for Ubuntu 24.04 Server.
Check back for updates, if you run into trouble. Leave a comment if the post is missing some detail.
You need no specific permissions for this, just command line access as the user from which the connection is made and the user on the remote system which the connection is made to.
In this post, any computer can be the client and any computer can be the server, these terms can be interchanged depending on which computer will initiate the connection.
1 . From the client, create a key pair.
If none previously exists: Use “ssh-keygen” to create a key while logged in as the user who needs this access. This step is done at the client side, the computer from which the connection is initiated. The comment (‘ -C ‘) field should be some useful detail, such as who made the key on which computer. When prompted for password or location, press Enter, leaving these fields as blank or default. If you put a password here, then each connection will require that password, rather then the user password.
sudo ssh-keygen -t rsa -b 4096 -C "username@computername"A key pair has been generated, ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa, your public and private keys, respectfully, for this user, on this computer.
2 . Copy the public key to the server.
At the side of the server, or the computer to which the password-less connection is required, login as the local username under-which the connection is to be made.
The contents of ~/.ssh/id_rsa.pub from the client, needs to be copied to a new line in the file ~/.ssh/authorized_keys on the server.
The file ~/.ssh/authorized_keys is just a list of keys that may connect without a password challenge.
ssh-rsa AAAAB3Nz... ...xXliXR6cf+fqHSYKFw== root@server15
ssh-rsa AAAAB3Nz... ...l9BVFpVDTIs4rlvLYQ== monitoringuserSave the file and test the connection. From the client, logged in as the user with the key in ~/.ssh/id_rsa.pub login to the server as the user with the key in ~/.ssh/authorized_keys.
admin@server40:~# ssh admin@server32
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64)
...
admin@server32:~#The first time a connection is made, a prompt appears to accept the server’s certificates. This prompt will appear if the servername, IP address or network interface change.
3 . Lockdown the server to key based authentication, only.
Its a good idea to lock down the server to not accept usernames with passwords, anymore. This significantly reduces the attack surface and makes brute force attacks almost impossible.
In Ubuntu (and other distributions) this is a setting in /etc/ssh/sshd_config:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
...The SSH service needs to be restarted for this change to take effect:
admin@server32:~# systemctl restart sshd.serviceFrom this point onward, all logins need to be in the format “username@servername” where that username on the server holds a copy of the public key and the initiating user on the client has the private key.
4 . Test the authentication with a scheduled job.
Assuming a file needs to be copied between the client and server, something simple can be setup such as:
admin@server40:~# scp test.file admin@server32:/tmp
test.file 100% 2048KB 5.5MB/s 00:00
It is also possible to read files from a remote system over SSH without handling passwords or credentials:
admin@server40:~# ssh admin@server32 "cat /etc/hosts"
127.0.1.1 server32
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Of course this opens up a lot of possibilities in terms of automation and mundane task handling when you are looking after more than one server while not worrying about passwords being encoded into files or scripts.
If you just realised you have locked out all your colleagues from the office server, change the setting in /etc/ssh/sshd_config to yes or just remark out the whole line:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication noThen restart sshd.service and everbody gets to use passwords, again.
4 . Supporting this blog.
This type of content takes a lot of effort to write. Each post is drafted, researched, then tested multiple times, even a simple step or detail might take more than a few hours to go from the idea to a published blog post.
If you feel I have saved you some time, you can support me by;
- hosting with DigitalOcean, like I do – DigitalOcean.
- buying me a beer through PayPal – PayPal.
© HorseFreeGlue, 2025. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibitentent.