Hello everyone, today we will learn how to set up passwordless SSH login to Linux system. Only workstations with the correct matching key pair (private and public) are allowed to log in to the SSH server, and without key pairing, access will not be allowed.
Usually, we need to enter a username and password combination to connect to the SSH console. If the combination of the combination with the system is correct, we can access the server, otherwise it will be rejected. However, there is something more secure than password login, and we have passwordless SSH login using an encryption key.
If we want to enable this security option, we can simply disable password logins and only allow logins with encryption keys. When using the encryption key option, the client computer generates a private and public key pair. The client must then upload the public key to the authorized_key file of the SSH server. The server and client computer will verify the key pair before granting access. If the public key on the server matches the private key submitted through the client, access will be granted, otherwise it will be denied.
This is a very secure way to authenticate your SSH server, and it is recommended that you use this method if you want to implement secure login via single-user SSH login. This is a quick step-by-step procedure on how to enable passwordless SSH login.
table of Contents
- 1) Check / install ssh service
- 2) Use ssh-keygen to configure the key pair
- 3) Copy the public key manually or use ssh-copy-id
- 4) Setting permissions
- 5) SSH can connect to partner host without password
- Best practice considerations
- in conclusion
1) Check / install ssh service
In some news, Linux systems openssh server Installed by default. So before installing, please check for the presence
# rpm -q openssh-server openssh-server-6.6.1p1-33.el7_3.x86_64
If it is not installed on your system, update the repository and install the package
# yum check-update Loaded plugins: fastestmirror Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00
# yum install openssh-server
2) Use ssh-keygen to configure the key pair
To log in to the server without a password, you need to use public key authentication to secure communication. Making this setting can improve server security by requiring a private SSH key to log in. To generate the ssh key, you can use
ssh-keygen Command, it will generate two keys and store them in two different files. These two files are stored in the hide folder .ssh in the user’s home directory. You can give the file its own name, or it will be stored in by default id_dsa (Private key) and id_dsa.pub (Public key) file.
When you create the key, you will be asked for a password. It is used to protect your key, and you will be asked for your key when you want to connect via ssh.
# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 04:d3:00:7a:25:d0:08:ab:0c:b1:29:d4:e1:7b:62:f2 [email protected]centos-01 The key's randomart image is: +--[ RSA 2048]----+ |ooo=+.=o | |.=oo.o o. | |* ... . | |= .. . | |.o + . S | | + o | | E | | | | | +-----------------+
3) Copy the public key manually or use ssh-copy-id
If you log in without a password, you need to copy the contents of the public key to the server, so create a folder .ssh On the server and copy your “local” public key id_dsa.pub A file
~/.ssh/authorized_keys Will be created on the server. To do this, you can perform the operation manually or use the ssh-copy-id command.
Create a folder .ssh on our server
# ssh [email protected] mkdir -p .ssh The authenticity of host '10.132.6.180 (10.132.6.180)' can't be established. ECDSA key fingerprint is 56:54:51:4d:fe:f4:fb:8f:f0:b4:6c:9c:0d:7c:57:4b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.132.6.180' (ECDSA) to the list of known hosts. [email protected]'s password:
Take a look at the contents of our public key
# cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjuK9+zkGJYy1MGjkPH3ZFoDGAm9uYQVdXWc283/yk9/9C+MazFT8mSlHYNTRpBThXH9VKbjHo2SAvm6BocB7m6b0DRErU8Hsp4PRfElDwPn/J8AE+hIkZ/bo2dMUOXTZVsdigpm8dOUCcfKKoZMvOU7C0HTBjeAoj/Nxv/4H5UBgEIg8ihVYeVplcDoT7bCmvES9bb7Ry4lrzusjdXp+mL388EGVU+46O1UNb8KE86tWdT/XTFVkSNFCA3bQLmQMWyuT/tgUEYHETcqBaTdFEGBaJ+pQ85/0b5vRCMktbrkrvPDKeM9BfQkBRKsBJxGR2Ag/HXAq7ieIKMoxs+Smr [email protected]
Now paste our public key contents on the remote server
# cat .ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'
By using ssh-copy-id
If you don’t want to copy it manually, we can do it with one command.
# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
4) Setting permissions
On the server you need to protect the public key, so we will set permissions
# chmod 700 .ssh # chmod 600 .ssh/authorized_keys
5) SSH can connect to partner host without password
Now that we have copied the public key to the server, we can use the public key to access it. Enter the following command for testing:
[[email protected] ~] # ssh [email protected] Enter passphrase for key '/root/.ssh/id_rsa': Last login: Mon Apr 17 06:01:07 2017 from 10.132.68.13 [[email protected] ~] #
You can see that we are now prompted for a password instead of a password. We are now connected to the server “centos-02”. Now we just need to enable authentication via public key and disable authentication via password.
For this we need to edit
/etc/ssh/sshd_config Files on the server. Don’t delete anything; just modify the line like below
vim /etc/ssh/sshd_config RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication no UsePAM no ChallengeResponseAuthentication no
Restart service now
systemctl reload sshd
How to add keys using ssh-add
Now that we have configured the public directory for the server connection, we need to enter the password. The problem is that every time we need to connect to the server, we are prompted for a password, which is not different from the situation where we ask for a password. Therefore, we need a way to automatically check our public key without prompting for a password. We will use
ssh-agent Order to do
# ssh-agent $SHELL # ssh-add -L The agent has no identities.
# ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
Try to log in to our remote server and result:
# ssh [email protected] Last login: Tue Apr 18 00:48:08 2017 from 10.132.68.13
You will see that we are not prompted for a password
Upgrade SSH keys for better security
The best practice is to enable SSH public key authentication instead of using a password over the network. However, it is also important that SSH keys should be updated regularly to improve security. Sometimes people have been using the same SSH key for years. Please note that the use of DSA and RSA 1024-bit keys is deprecated. I recommend that you upgrade these keys to the latest Ed25519 keys with fast, compact elliptic curve encryption with a high security signature. You can generate these keys with a single command
ssh-keygen -o -a 100 -t ed25519 as follows:
# ssh-keygen -o -a 100 -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519. Your public key has been saved in /root/.ssh/id_ed25519.pub. The key fingerprint is: 9a:aa:da:75:a3:58:22:a0:0a:f1:63:62:c2:2f:da:31 [email protected] The key's randomart image is: +--[ED25519 256--+ | | | | | | | | |o S | |+o o | |*oE o = | |=B.O + . | |=.*oo | +----------------+
You can have an identification file “~ / .Ssh / id_ed25519 “ Save with other keys in .ssh folder. You can copy your public key
~/.ssh/id_ed25519.pub Transfer to target host for authentication
# eval `ssh-agent -s` Agent pid 32377 # ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) Enter passphrase for /root/.ssh/id_ed25519: Identity added: /root/.ssh/id_ed25519 (/root/.ssh/id_ed25519)
Best practice considerations
Create a normal user account on the remote server
It is recommended to use ordinary users with ordinary privileges to log in to the server through ssh. Therefore, we need to create a normal user account on the server for logging, and we can become the root user to perform other operations
su - command
For example, we will create an account linoxide with normal permissions
# useradd -m linoxide
Now we will copy the authorized_keys file into our new user home directory
# cp -R .ssh/ /home/linoxide/
Granting account permissions
# chown -R linoxide:linoxide /home/linoxide/.ssh/
Try to connect to our server with our new account
# ssh [email protected] Last login: Tue Apr 18 02:06:25 2017 [[email protected] ~]$
Disable SSH root login
Now that we can access the server with a normal account, we can disable root login for best security. So edit
/etc/ssh/sshd_config We will modify the line
Open the file and the line should look like this #PermitRootLoginYes, so we will uncomment it and modify it to the line below
Save the file and restart the service
# systemctl restart sshd
No from the client, try to connect to the server with your root account
# ssh [email protected] Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
You can see our Root unable to connect. Now look at our regular account
# ssh [email protected] Last login: Tue Apr 18 02:10:53 2017 from 10.132.68.13 [[email protected] ~]$
You will see that we can log into the server with a normal account. Now if we need root operation, execute
$ su - root Password: Last login: Tue Apr 18 02:23:20 UTC 2017 on pts/1 [[email protected] ~]#
Preventing SSH timeout sessions
When we connect to a remote server via ssh, we may be disconnected after a few minutes if there is no activity. This is basically Idle timeout. We can prevent this by adding two lines to the ssh configuration file.
If we have access to the server, please modify our server
/etc/ssh/sshd_config Server-side file:
# vim /etc/ssh/sshd_config
Now add the following two lines at the end of the file:
ClientAliveInterval 120 ClientAliveCountMax 3
Let me explain these things now:
- ClientAliveInterval: Set a timeout interval during which the server sends messages to the client ssh after x seconds of inactivity (0 = never). If the client answers the server, it will stay connected.
- ClientAliveCountMax: Setting the maximum number of ClientAlive requests without an answer will tolerate the server before closing the connection.
If we don’t have access to the server, we will create one
~/.ssh/config Client files in our home directory
# touch ~/.ssh/config
Now add two lines below
ServerAliveInterval 120 ServerAliveCountMax 3
cheer! We have successfully enabled passwordless SSH login. Enable “encryption key pair” SSH login is very secure. This is a very secure way to authenticate your SSH server, and it is recommended that you use this method if you want to implement secure login via single-user SSH login. So if you have any questions, suggestions or feedback, please write in the comment box below. Thank you! Enjoy encrypted secure SSH login 🙂