Setup Passwordless Ssh Login in Simple Steps

Usually, we enter a username and password combination to connect to an SSH console. But, there is something more secure than Password logon, we have passwordless SSH login using the encrypted keys. The chances to crack a key are effectively zero, while bad passwords are all too common with a brute-force attempt.

Only the workstations having the correct matching key pair (private and public) will be allowed to logon to the SSH server, without the key paring, access will not be allowed.

In this tutorial, we'll gonna learn how we can setup Passwordless SSH login to Linux systems.

To illustrate passwordless ssh login, I am going connect (ssh) from a client CentOS machine (192.168.168.121) to a remote Ubuntu machine (192.168.215.83) without any password.

Check for existing SSH Keys

You may have some existing keys on your client machine which were created earlier. You can either use the existing key or create a new one. Also, remember you may overwrite your exiting key if you run the ssh-keygen command with the same options.

$ ls -al ~/.ssh/id_*.pub

If it returns No such file or directory, means no public keys currently available.

1) Generate the Key Pair

To generate ssh keys, you can use ssh-keygen command which will generate two keys and store them in two different files. These two files are stored in a hidden folder .ssh in the user home directory. You can provide your own names for the file or by default it will be stored in id_dsa (private key) and id_dsa.pub (public key) files.

When you create your keys you will be asked for a passphrase. It is used to protect your key and you will be asked for it when you will want to connect via ssh.

The following ssh-keygen command creates a new ssh key with 4096 key size (-b), rsa algorithm (-t), optional your email address as a comment (-C).

$ ssh-keygen -t rsa -b 4096 -C "[email protected]"

By default private is stored in id_rsa file, to avoid overwriting you may store in a different file. If we implicitly specify a file name then both keys will be stored in the current folder.

Enter file in which to save the key (/home/tom/.ssh/id_rsa):

Enter passphrase is empty by default. If you have any script or utilities that need passwordless connection to remote machine then leave passpshare as empty.

Enter passphrase (empty for no passphrase):

Following messages indicated where and which files the private and public key stored.

Your identification has been saved in /home/tom/.ssh/id_rsa
Your public key has been saved in /home/tom/.ssh/id_rsa.pub

This shows the fingerprint and randomart image which is unique to this key and may be shared with others to verify public key.

The key fingerprint is:
SHA256:EihoyQO0PmdBKjesoIKZ5X3JdzN0It18a7FxGi4ovWQ [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|o. .             |
|oo=  .   . o     |
|+B*.. . . + + = .|
|BB.+.. o + + o O |
|Bo.o. = S E . *  |
|. +  . o = + o   |
|          .      |
|                 |
|                 |
+----[SHA256]-----+

When you run the ssh-keygen command it keeps the keys pair by default in ~/.ssh directory, which will be created if it doesn't exist:

You can list key pair files using the following ls command:

[tom@centos02 ~]$ ls -l /home/tom/.ssh/
total 8
-rw-------. 1 tom tom 3381 May 28 13:00 id_rsa
-rw-r--r--. 1 tom tom 742 May 28 13:00 id_rsa.pub

The following command display fingerprint and randomart image after key pair is created:

$ ssh-keygen -lv

To display the content of the public key file run the following command.

$ cat .ssh/id_rsa.pub

In the next section, we discuss how to copy the content of the 'pub' file to the remote host.

2) Copy the Public Key to remote machine

Now you need to copy the content of your public key to ~/.ssh/authorized_keys file on remote machine.

Create .ssh directory and authorized_keys file in the user home directory ( if root then /home/root), if it doesn't exist.

To do so you can do manually or by using ssh-copy-id command.

By manual copy

The following command creates .ssh directory in user' home folder (tom) on the remote machine:

$ sudo ssh [email protected] mkdir -p .ssh

Now paste or transfer the content of public key (client machine) to the remote server:

$ sudo cat .ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'

By using ssh-copy-id

If you don't want to copy it manually, we can use ssh-copy-id command which will do the same as follows:

$ sudo ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

You view the content of authorized_keys files to make sure key is copied.

$ cat .ssh/authorized_keys

3) Verify the passwordless ssh

Now we have copied public key to the server, we should be good to login without any password.

We can verify by running the following ssh command using the user (tom):

[tom@centos02 ~]$ ssh [email protected] 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)
Last login: Fri May 29 03:14:32 2020 from 104.237.141.158
$ hostname
ubuntu01
$

You can see from the above output that it didn't prompt for any password.

Disable password authentication

If all user accounts on the server are authenticated using public keys (including root), you can disable authentication by a password.

To enable authentication by public key and disable authentication by password, you edit /etc/ssh/sshd_config file.

Modify the below lines on sshd_config:

$ vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
UsePAM no
ChallengeResponseAuthentication no

After making the changes restart sshd service:

$ sudo systemctl reload sshd

Once users are authenticated using keys, you may consider disabling the 'root' login for ssh (set PermitRootLogin no).

Keys with passphrase

In situations where private keys need more security, it's recommended to set a passphrase. When keys had passphrase, each time shh connection requested it prompt for the passphrase. It will be almost like a password login.

OpenSSH has a utility called ssh-add which can add ssh private keys into ssh authentication, therefore user can login without a password.

Lets first set a passphrase for our existing key using -p option

[tom@centos02 ~]$ ssh-keygen -p
Enter file in which the key is (/home/tom/.ssh/id_rsa):
Key has comment '[email protected]'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Now if we try login again then it will prompt for passphrase:

[tom@centos02 ~]$ ssh [email protected]
Enter passphrase for key '/home/tom/.ssh/id_rsa':

Run the following command cache the unlocked private key:

$ ssh-agent $SHELL

$ ssh-add -L
The agent has no identities.

$ ssh-add 
Enter passphrase for /home/tom/.ssh/id_rsa:
Identity added: /home/tom/.ssh/id_rsa ([email protected])

Now try to login again, see that you are not prompted for the passphrase.

Set Permission

Just make sure .ssh directory and authorized_keys files on the remote server have appropriate permissions. To protect the public key set permissions for the access of the key as follows:

$ sudo chmod 700 .ssh

$ sudo chmod 600 .ssh/authorized_keys

Conclusion

In this tutorial, we have explained how to set up passwordless login between two Linux systems. In case you want to revoke access, then remove the line for the public key from the authorized_keys file.

It's best practice to enable SSH public key authentication rather than using passwords over the networks. However, it's equally important to renew your SSH keys on frequent time interval for more safety.

Note that the DSA and RSA 1024 bit keys are deprecated. It's advised to upgrade keys to use the latest ed25519 or ecdsa algorithms which have high-security signatures.