Usually, we enter a username and password combination to connect to an SSH console. But, there is something more secure than Password logon, we have passwordless SSH login using the encrypted keys. The chances to crack a key are effectively zero, while bad passwords are all too common with a brute-force attempt.
Only the workstations having the correct matching key pair (private and public) will be allowed to logon to the SSH server, without the key paring, access will not be allowed.
In this tutorial, we'll gonna learn how we can setup Passwordless SSH login to Linux systems.
To illustrate passwordless ssh login, I am going connect (ssh) from a client CentOS machine (192.168.168.121) to a remote Ubuntu machine (192.168.215.83) without any password.
Check for existing SSH Keys
You may have some existing keys on your client machine which were created earlier. You can either use the existing key or create a new one. Also, remember you may overwrite your exiting key if you run the ssh-keygen command with the same options.
$ ls -al ~/.ssh/id_*.pub
If it returns
No such file or directory, means no public keys currently available.
1) Generate the Key Pair
To generate ssh keys, you can use
ssh-keygen command which will generate two keys and store them in two different files. These two files are stored in a hidden folder .ssh in the user home directory. You can provide your own names for the file or by default it will be stored in id_dsa (private key) and id_dsa.pub (public key) files.
When you create your keys you will be asked for a passphrase. It is used to protect your key and you will be asked for it when you will want to connect via ssh.
The following ssh-keygen command creates a new ssh key with 4096 key size (-b), rsa algorithm (-t), optional your email address as a comment (-C).
$ ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
By default private is stored in id_rsa file, to avoid overwriting you may store in a different file. If we implicitly specify a file name then both keys will be stored in the current folder.
Enter file in which to save the key (/home/tom/.ssh/id_rsa):
Enter passphrase is empty by default. If you have any script or utilities that need passwordless connection to remote machine then leave passpshare as empty.
Enter passphrase (empty for no passphrase):
Following messages indicated where and which files the private and public key stored.
Your identification has been saved in /home/tom/.ssh/id_rsa Your public key has been saved in /home/tom/.ssh/id_rsa.pub
This shows the fingerprint and randomart image which is unique to this key and may be shared with others to verify public key.
The key fingerprint is: SHA256:EihoyQO0PmdBKjesoIKZ5X3JdzN0It18a7FxGi4ovWQ email@example.com The key's randomart image is: +---[RSA 4096]----+ |o. . | |oo= . . o | |+B*.. . . + + = .| |BB.+.. o + + o O | |Bo.o. = S E . * | |. + . o = + o | | . | | | | | +----[SHA256]-----+
When you run the ssh-keygen command it keeps the keys pair by default in
~/.ssh directory, which will be created if it doesn't exist:
You can list key pair files using the following ls command:
[tom@centos02 ~]$ ls -l /home/tom/.ssh/ total 8 -rw-------. 1 tom tom 3381 May 28 13:00 id_rsa -rw-r--r--. 1 tom tom 742 May 28 13:00 id_rsa.pub
The following command display fingerprint and randomart image after key pair is created:
$ ssh-keygen -lv
To display the content of the public key file run the following command.
$ cat .ssh/id_rsa.pub
In the next section, we discuss how to copy the content of the 'pub' file to the remote host.
2) Copy the Public Key to remote machine
Now you need to copy the content of your public key to
~/.ssh/authorized_keys file on remote machine.
.ssh directory and
authorized_keys file in the user home directory ( if root then /home/root), if it doesn't exist.
To do so you can do manually or by using
By manual copy
The following command creates
.ssh directory in user' home folder (tom) on the remote machine:
$ sudo ssh firstname.lastname@example.org mkdir -p .ssh
Now paste or transfer the content of public key (client machine) to the remote server:
$ sudo cat .ssh/id_rsa.pub | ssh email@example.com 'cat >> .ssh/authorized_keys'
By using ssh-copy-id
If you don't want to copy it manually, we can use
ssh-copy-id command which will do the same as follows:
$ sudo ssh-copy-id -i ~/.ssh/id_rsa.pub firstname.lastname@example.org
You view the content of authorized_keys files to make sure key is copied.
$ cat .ssh/authorized_keys
3) Verify the passwordless ssh
Now we have copied public key to the server, we should be good to login without any password.
We can verify by running the following ssh command using the user (tom):
[tom@centos02 ~]$ ssh email@example.com Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64) Last login: Fri May 29 03:14:32 2020 from 220.127.116.11 $ hostname ubuntu01 $
You can see from the above output that it didn't prompt for any password.
Disable password authentication
If all user accounts on the server are authenticated using public keys (including root), you can disable authentication by a password.
To enable authentication by public key and disable authentication by password, you edit
Modify the below lines on
$ vi /etc/ssh/sshd_config RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication no UsePAM no ChallengeResponseAuthentication no
After making the changes restart
$ sudo systemctl reload sshd
Once users are authenticated using keys, you may consider disabling the 'root' login for ssh (set PermitRootLogin no).
Keys with passphrase
In situations where private keys need more security, it's recommended to set a passphrase. When keys had passphrase, each time shh connection requested it prompt for the passphrase. It will be almost like a password login.
OpenSSH has a utility called
ssh-add which can add ssh private keys into ssh authentication, therefore user can login without a password.
Lets first set a passphrase for our existing key using
[tom@centos02 ~]$ ssh-keygen -p Enter file in which the key is (/home/tom/.ssh/id_rsa): Key has comment 'firstname.lastname@example.org' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
Now if we try login again then it will prompt for passphrase:
[tom@centos02 ~]$ ssh email@example.com Enter passphrase for key '/home/tom/.ssh/id_rsa':
Run the following command cache the unlocked private key:
$ ssh-agent $SHELL
$ ssh-add -L The agent has no identities.
$ ssh-add Enter passphrase for /home/tom/.ssh/id_rsa: Identity added: /home/tom/.ssh/id_rsa (firstname.lastname@example.org)
Now try to login again, see that you are not prompted for the passphrase.
Just make sure .ssh directory and authorized_keys files on the remote server have appropriate permissions. To protect the public key set permissions for the access of the key as follows:
$ sudo chmod 700 .ssh
$ sudo chmod 600 .ssh/authorized_keys
In this tutorial, we have explained how to set up passwordless login between two Linux systems. In case you want to revoke access, then remove the line for the public key from the authorized_keys file.
It's best practice to enable SSH public key authentication rather than using passwords over the networks. However, it's equally important to renew your SSH keys on frequent time interval for more safety.
Note that the DSA and RSA 1024 bit keys are deprecated. It's advised to upgrade keys to use the latest ed25519 or ecdsa algorithms which have high-security signatures.