Summary: How to use a certificate for SSH login.
Date: Around 2014
Refactor: 29 March 2025: Checked links and formatting.

The goal is to have an automatic login for ssh so my script doens't need any passwords in it's configuration files. Automatic login through SSH works with PKI (public key infrastructure). We want to create a public key which can be placed on the remote server user's .ssh directory.

As the user who is going to start the script issue this command (do not enter a passphrase):

bash-3.00$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/dbuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/dbuser/.ssh/id_rsa.
Your public key has been saved in /home/dbuser/.ssh/id_rsa.pub.
The key fingerprint is:
52:45:7a:ca:85:70:7b:cb:f8:1f:33:7a:50:14:73:83 dbuser@dbserver.company.local

You can add the public key to the authorized_keys file manually:

syncuser@syncserver:~/.ssh> ll
total 8
-rw-r--r-- 1 repluser users 1472 2009-01-05 17:12 authorized_keys
-rw-r--r-- 1 repluser users  250 2008-10-10 12:24 known_hosts
 
syncuser@syncserver:~/.ssh> vi authorized_keys

Or you can use this command to ssh from the source host:

cat .ssh/id_rsa.pub | ssh syncuser@swyncserver 'cat >> .ssh/authorized_keys'

When you try to connect now you get a one time warning if the server is not yet in your list of known hosts:

The authenticity of host 'syncserver,10.10.10.10' can't be established.
RSA key fingerprint is 84:17:4c:27:21:53:ef:fc:6f:57:9d:48:03:c6:17:6b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'syncserver,10.10.10.10' (RSA) to the list of known hosts.

If the key is ignored, as in, you still have to enter your password, it could be that the .ssh directory and or authorized key is readable/writable to others than yourself. Fix that by setting the permissions to allow only yourself (chmod 700 .ssh)