Multipass is an excellent tool for running Ubuntu on macOS or Windows laptops. Out of the box it does not enable passwordless SSH access to the Ubuntu instance, and instead you use the multipass shell command. Sometimes you need passwordless SSH access, however.
In my case I want to experiment with remote control access to Docker. To do this requires passwordless access to a Linux instance that's running Docker. What passwordless SSH means is to install ones "SSH Key" as an authorized key for a remote system. At that point you're able to use SSH to access that remote system, without it asking you for a password.
Multipass has the multipass shell command that starts a login session inside the Multipass instance. For most intents and purposes that is fine, and I have been using Multipass for months without needing any other access method.
UPDATE: This article is updated from one written in May 2020. The current Multipass version is 1.12.2 with macOS as the host system. The upcoming release is 1.13.0, but because my Mac is older I am unable to upgrade to a macOS version which supports Multipass. /UPDATE
The multipass shell command is not the same as using ssh -l ubuntu NNN.NNN.NNN.NNN to access a Multipass instance. There are many things you can do with SSH access to a computer which are not possible with multipass shell.
To determine the IP address for a Multipass instance, run this command:
$ multipass list
Name State IPv4 Image
primary Running 192.168.64.14 Ubuntu 22.04 LTS
In this case it is 192.168.64.14. For instances that have multiple network interfaces, there is a separate IP address assigned to each interface.
Out of the box this is what results:
$ ssh ubuntu@192.168.64.14
The authenticity of host '192.168.64.14 (192.168.64.14)' can't be established.
ECDSA key fingerprint is SHA256:+rBEXAMPLEb2MREXAMPLE4+mOukYDtkoJ4EXAMPLExs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.64.4' (ECDSA) to the list of known hosts.
ubuntu@192.168.64.4: Permission denied (publickey).
This tells us the Multipass instance is running an SSH service. But, we are unable to complete the login due to some issue with the keys.
We know from using Multipass Ubuntu instances, that the default user account is named ubuntu, and that Multipass assigns an IP address to the instance. That IP address can be used for example to access a service hosted inside the instance. But, as you can see, Multipass instances are not configured to allow login with SSH. Further, we do not know what the password of that Ubuntu user account is.
Any time you see Permission denied (publickey) as the response to using SSH to access a system, it means your public key is not valid with that remote system. The universal cure is to add your public SSH key to the authorized keys of the remote system. That it's a Multipass instance doesn't make any difference, because the cure is the same.
Why do we need passwordless SSH? I've survived for months using Multipass in its default state. But consider an example in another post, Use Canonical's Multipass to display Linux desktop on macOS desktop and VNC, where I discuss setting up an SSH tunnel to assist running VNC.
$ ssh -L 5901:127.0.0.1:5901 \
-C -N -l ubuntu YOUR-SERVER-IP-ADDRESS
There many uses for SSH tunnels, not just for setting up VNC access. And, there are many tools will use an SSH URL, like ssh://user-name@server-name, to access a service. In other words, it depends on what you're doing in an Multipass instance as to why or whether you need passwordless SSH access.
Setting up passwordless SSH for a Multipass instance
This is so trivially easy to implement.
First off, you must have an SSH key for the host from which you'll access the Multipass instance. Next, you install that SSH key in the authorized_keys file in the instance. Finally, you profit.
The following steps are identical to how you implement passwordless SSH access to any Linux/FreeBSD/macOS/etc system.
If you're using a Linux or macOS machine, an SSH key is easily generated using the ssh-keygen tool. For Windows, well, I was about to say that SSH is not easily available for Windows, but I see that
OpenSSH is available in Windows 10 since October 2018.
On the Multipass instance, do this:
# Enter the Multipass instance
$ multipass shell instance-name
# Now logged in to the instance
ubuntu@instance-name: $ ssh-keygen
Generating public/private rsa keypair
# ... more output -- hit RETURN for every prompt
This generates a ~/.ssh directory and other files like so:
ubuntu@instance-name: $ ls ~/.ssh
authorized_keys id_rsa id_rsa.pub known_hosts
Now, make sure you have an SSH key on the host from which you wish to access the Multipass instance. For example, look for a ~/.ssh directory similar to what we just created inside the instance.
The defaults generate an RSA public/private key pair. This means ~/.ssh/id_rsa contains the private key, and ~/.ssh/id_rsa.pub contains the public key. The authorized_keys file contains the public keys that are allowed to access the computer. The known_hosts file contains the signatures for any host that has been accessed.
An SSH public key looks like this:
$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EXAMPLEQABAAABAQDBAeUncZx5zWVI2Yry+pYCZSIRR88Cvt3gq5fbzerFvMcOKEXAMPLEXAMPLRLEV8L1ovH+gjO+5Ma4DNuhAKh5f21YFV7j6EXAMPLEIfmZt1l6u4BcUTEXAMPLEdvl8U8oswZ/ivVxyWhSnHMqp3FiXpCPuN9bqnTuEXAMPLEf/Fo2EXAMPLEp/wMljTn5WQBKJ8uM7tP+aEXAMPLEryDtgWe65EXAMPLENFjdAEXAMPLEP+0h/jDeh25jr1KU9yVwVEXAMPLEeNqgrLwGt/m1A8ueuaMZobyxRRDt5rNACx3BZoJEXAMPLEOUj6JHuApZqLu8IDc5t3hMhYazcmUx EXAMPLE@EXAMPLE
This is not a real SSH key, but a modified one. Once you have this block of text, you use it to enable passwordless access to the remote computer. In this case:
$ multipass shell instance-name
# Now logged in to the instance
ubuntu@instance-name: $
$ ls .ssh
authorized_keys
You simply edit that file and paste in the text of your SSH key.
You then save that file, and log out of the Multipass instance. BTW, these instructions work for any remote computer that uses OpenSSH, not just the Ubuntu instance running inside Multipass.
Once you've done that, you can run:
$ ssh ubuntu@192.168.64.14
,,,
And you will log-in to the Multipass instance without requiring a password.
