Linux SSH Passwordless Login Configuration

Overview

When configuring passwordless SSH login via a bastion host to a target server (e.g., 10.30.3.232), several key steps are required. This guide walks through the necessary process using secure shell (SSH) key-based authentication.

Step 1: Check for Existing SSH Keys

Log in to the bastion host and switch to the desired user account. Check if SSH key files already exist in the .ssh directory.

[it_support@localhost ~]$ sudo su - root

[root@localhost ~]# ls -lha ~/.ssh/
-rw-------  1 root root    0 Jun 23  2021 authorized_keys
-rw-r--r--  1 root root 4.5K Nov 16 16:19 known_hosts

Step 2: Generate SSH Key Pair

If no key files are present, generate a new RSA key pair using ssh-keygen.

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

After generation, verify the presence of the new key files:

[root@localhost ~]# ls -lha ~/.ssh/  
-rw-------  1 root root    0 Jun 23  2021 authorized_keys
-rw-------  1 root root 1.7K Jan  9 17:19 id_rsa
-rw-r--r--  1 root root  400 Jan  9 17:19 id_rsa.pub
-rw-r--r--  1 root root 4.5K Nov 16 16:19 known_hosts

Step 3: Upload Public Key to Target Server

Use ssh-copy-id to copy the public key from the bastion host to the target server:

ssh-copy-id -p 1618 root@10.30.3.232

This command will automatically create or update the known_hosts file with the target server's public key:

[root@localhost ~]# cat ~/.ssh/known_hosts | grep "10.30.3.232"
[10.30.3.232]:1618 ecdsa-sha2-nistp256 ******

Step 4: Test the Connection

Attempt to connect to the target server using SSH:

ssh -p 1618 root@10.30.3.232

Troubleshooting: Permission Denied After Setup

If the system returns a Permission denied error after configuration, it may be due to a changed host key.

[root@localhost ~]# ssh -p 1618 root@10.30.3.232
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:fbwp9nIMYhEvzvy+Om9fh35D64Er1puKMdbVjQFZVdA.
Please contact your system administrator.
Add correct host key in /home/root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/root/.ssh/known_hosts:170
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Resolution

Remove the outdated entry for the IP address from the known_hosts file:

grep -v "10.30.3.232" ~/.ssh/known_hosts > ~/.ssh/known_hosts.tmp && mv ~/.ssh/known_hosts.tmp ~/.ssh/known_hosts

Then re-run the ssh-copy-id command:

ssh-copy-id -p 1618 root@10.30.3.232

Tags: ssh Linux Key-Based Authentication Bastion Host Security

Posted on Fri, 15 May 2026 16:23:44 +0000 by maya28

Hot Tags

©2026 Freaks City