How to SSH to Linux System without Requiring a Password

SSH Basics

In order make more secure connection to a server or any other device, we do not want to use password authentication.  That is the main motivation behind SSH public key authentication.  SSH keys provide a fully encrypted way to access your device.

A SSH key pair includes two types of keys:

A public key is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user, it copies the file to the its authorized_keys file.

A private key that remains (only) with the user. The possession of this key is proof of the user’s identity. Only a user in possession of a private key that corresponds to the public key at the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.

Step 1 – Create a RSA Public and Private Key Pair

Let’s assume for now that we have two devices, test-client and test-server.  The keys are generated on the client side and then copied to the server.

test@test-client~$ cd .ssh

test@test-client:~/.ssh$ ssh-keygen

The default mode of ssh-keygen command is RSA.

If would you would like to change the key type to DSA, EDSA or another you can use the -t flag.

-t dsa | ecdsa | ed25519 | rsa | rsa1
      Specifies the type of key to create. The possible values are “rsa1” for protocol version 1 and
      “dsa”, “ecdsa”, “ed25519”, or “rsa” for protocol version 2.

 

The following is an example:

test@test-client~$ cd .ssh
test@test-client:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:0tepVVkXA0IAitcp34SPBO1IJqWMPdqo5ogAPnrY6HQ test@test-client
The key's randomart image is:
+---[RSA 2048]----+
|    .o....oo ..o+|
|  +.oo+.o   .  oo|
| . *++o= .    o  |
|  + o.+o=  . o   |
|.o .  .oSo. +    |
|+      . . o     |
|oO E      .      |
|@ =              |
|=+               |
+----[SHA256]-----+

 

Now let’s verify that keys are generated.

test@test-client:~/.ssh$ ls
id_rsa  id_rsa.pub  known_hosts

Step 2:  Copy the Public Key to the Server

Use the ssh-copy-id command to copy the key to the server side using a password.  This is only and last time you should require a password to login to the server.    However if the file known_hosts is somehow removed from the server, you won’t be able to SSH to the server until you go through this process again.  For safety, create a backup copy of the server known_hosts file.

test@test-client:~/.ssh$ ssh-copy-id 192.168.1.100
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
test@192.168.1.100's password:


Number of key(s) added: 1


Now try logging into the machine, with:   "ssh '192.168.1.100'"
and check to make sure that only the key(s) you wanted were added.

 

Step 3:  Use SSH to Connect the Server

Finally ssh to the server to ensure that the process of adding the public key to the server is completed and everything is working as expected.

test@test-client:~/.ssh$ ssh test@192.168.1.100
Welcome to Ubuntu 16.04.2 LTS


* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage
test@test-server:~$

Once you have verified that you are able to SSH to the server without a password, you are done   The client can SSH to server securely.

Extra Step

It is recommended that SSH password authentication is completely disabled so that no other system can access the server.

Ensure that PermitRootLogin is properly set to prohibit-password.

Edit the file /etc/ssh/sshd_config

sudo vi /etc/ssh/sshd_config

Verity that the following is set to:

PermitRootLogin prohibit-password

 

 

 

2,289 total views, 4 views today

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website