How to Disable SSH Passphrase Prompt When Connecting as Specific User


2 views

The difference in authentication behavior between nt_deployer and emai users occurs because:

1. nt_deployer connection attempts to use public key authentication first
2. Your private key at ~/.ssh/id_rsa is passphrase-protected
3. The emai connection falls back to password authentication directly

The most secure approach is to use ssh-agent:

# Start ssh-agent if not running
eval "$(ssh-agent -s)"

# Add your key to the agent
ssh-add ~/.ssh/id_rsa

# Enter passphrase once when prompted
# Subsequent connections won't ask for passphrase

Create or modify ~/.ssh/config:

Host mysite-staging
    HostName mysite-staging.nettheory.com
    User nt_deployer
    IdentitiesOnly yes
    IdentityFile ~/.ssh/deployer_key  # Key without passphrase
    PreferredAuthentications password

If security policy allows (not recommended for production):

ssh-keygen -t rsa -b 4096 -f ~/.ssh/deployer_key -N ""
chmod 600 ~/.ssh/deployer_key
ssh-copy-id -i ~/.ssh/deployer_key nt_deployer@mysite-staging.nettheory.com
  • ssh-agent keeps keys in memory only during session
  • Passphrase-less keys should have limited permissions
  • Consider using SSH certificates for better security
  • Always use strong passwords for fallback authentication

Use verbose mode to understand authentication flow:

ssh -v nt_deployer@mysite-staging.nettheory.com

Look for these key lines in output:

debug1: Offering RSA public key: /Users/emai/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password

The difference in behavior between nt_deployer and emai users indicates a configuration issue in SSH key authentication. When SSH asks for a passphrase, it's because:

  • A private key exists in your ~/.ssh directory
  • The key is protected by a passphrase
  • SSH is attempting to use this key for authentication

First, verify which keys are being offered to the server:

ssh -v nt_deployer@mysite-staging.nettheory.com

Look for lines containing Offering public key in the debug output. This will show exactly which key is being used.

The most secure way to handle this is using ssh-agent:

# Start the SSH agent if not running
eval "$(ssh-agent -s)"

# Add your key to the agent (will prompt for passphrase once)
ssh-add ~/.ssh/id_rsa

# Now connect - should not prompt for passphrase
ssh nt_deployer@mysite-staging.nettheory.com

For persistent key management across sessions, consider using keychain:

# Install keychain (MacOS)
brew install keychain

# Add to your shell profile (~/.bash_profile or ~/.zshrc)
eval $(keychain --eval --quiet id_rsa)

# Source your profile or restart terminal

Verify the authorized_keys file on the server for the nt_deployer user:

ssh nt_deployer@mysite-staging.nettheory.com
cat ~/.ssh/authorized_keys

Ensure the public key matches your local private key. If not, add it:

ssh-copy-id -i ~/.ssh/id_rsa.pub nt_deployer@mysite-staging.nettheory.com

If SSH key authentication fails, the server may fall back to password authentication. To enforce key-only authentication, modify the server's /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

Then restart SSH:

sudo service ssh restart
  • Permissions: chmod 600 ~/.ssh/id_rsa
  • Key format: Ensure keys are in OpenSSH format
  • Agent persistence: Verify ssh-agent is running in all terminal sessions