← Back to Garden
seedling

Passwordless SSH with SSH Keys

This document covers the setup of SSH key authentication for secure and convenient passwordless access to your homelab servers from your Mac Mini management station.

The Goal

To eliminate the need for typing passwords every time you SSH into a server, while simultaneously enhancing security. SSH keys provide a more robust authentication mechanism than passwords.

How it Works

Instead of a password, you use a pair of cryptographic keys:

  • Private Key: Stays securely on your Mac Mini. It's like a highly complex, unique signature.
  • Public Key: This is like a copy of your signature that you give to each server you want to access.

When you try to SSH, the server asks for your public key, then challenges your Mac Mini to prove it holds the corresponding private key. If successful, you're granted access without a password.

Setup Steps

All these steps are performed from the terminal on your Mac Mini (the client machine).

1. Generate Your SSH Key Pair

First, check if you already have an Ed25519 key (a modern, secure key type).

ls ~/.ssh/id_ed25519.pub
  • If the command returns "No such file or directory," you need to generate a new key.
  • If it shows the file, you can skip this step, or generate a new one if you prefer.

To generate a new key (replace with your email):

ssh-keygen -t ed25519 -C "your-email@example.com"
  • Prompts:
    • Enter file in which to save the key (~/.ssh/id_ed25519): Press Enter to accept the default location.
    • Enter passphrase (empty for no passphrase): Press Enter twice for an empty passphrase. An empty passphrase allows true passwordless access. For added security, you can set a passphrase, but you'll be prompted for it once per session when the key is first used.

2. Copy Your Public Key to Homelab Servers

The ssh-copy-id command securely appends your public key (~/.ssh/id_ed25519.pub) to the ~/.ssh/authorized_keys file on the remote server.

You will be asked for the server's password one last time during this process.

  • To Raspberry Pi:

    ssh-copy-id pi@192.168.68.13

  • To Thinkcentre:

    ssh-copy-id ashish@192.168.68.11

    (Note: The IP address for Thinkcentre was 192.168.68.59 dynamically during this step but is now 192.168.68.11 statically.)

3. Verify Passwordless Access

After copying the keys, try to SSH into each server again.

ssh pi@192.168.68.13

ssh ashish@192.168.68.11

You should now be logged in instantly without any password prompt.

Future Step: SSH Aliases

To make connections even easier, you can set up short aliases in your Mac Mini's ~/.ssh/config file. This lets you type ssh pi instead of ssh pi@192.168.68.13.

# Edit SSH config file
nano ~/.ssh/config

Add entries like these (adjust usernames as needed):

Host pi
    HostName 192.168.68.13
    User pi

Host thinkcentre
    HostName 192.168.68.11
    User ashish

# You would add entries for your NAS and Mac Mini M2 later
# Host nas
#    HostName 192.168.68.12
#    User your-nas-user

After saving, you can simply use ssh pi or ssh thinkcentre.