In this article, I will take you through 6 Simple Steps to setup passwordless ssh login using ssh keygen. SSH is a network protocol that allows one computer to connect to another computer over an unsecure network like Internet.Without encryption,data transfer over the Internet in a plain text form makes it easier for somebody to intercept important information like user name and password and then use it.However ssh provides a mechansim where all the data will be encrypted through a tunnel and hence allows you to connect to a remote machine securely, transfer data securely and even allow you launch command for the remote machine safely.
What is SSH
SSH is also known as secure shell or secure socket shell protocol which is mainly used to connect to remote server securely. ssh connection by default always happens on port 22. Although you have an option to change this port from sshd_config configuration file but usually it is not recommended to.
Types of SSH Authentication
- Password Based Authentication
- Key Based Authentication
How SSH Keygen Authentication Works ?
SSH primarily works on a Client Server Model. In this model, you will have a public/private key pair which can be generated through tools like ssh keygen on linux. Then your public key will always be stored in Server and client which is usually a computer makes contact with ssh server and provide id of the key pair it wants to prove his identity. The ssh server then creates a challenge which is encrypted by the public key and sent back to the client.You as a client then take back the challenge decrypt it with the private key and send original channel back to ssh server. Once the negotiation is complete,connection is established now between client and server successfully.
What is SSH without password login ?
SSH without password login means whenever you try to login to remote server using secure shell(ssh), you need not to be given any ssh password. This is mostly required when you want to perform some task on multiple servers by connecting the servers through ssh.
What is SSH Keygen
As per ssh keygen man page, ssh-keygen generates, manages and converts authentication keys for ssh(1). ssh-keygen can create keys for use by SSH protocol versions 1 and 2. Protocol 1 should not be used and is only offered to support legacy devices. It suffers from a number of cryptographic weaknesses and doesn’t support many of the advanced features available for protocol 2.
What is SSH keygen RSA login algorithm ?
It means ssh keygen tool uses rsa login algorithm to generate public/private rsa login key pair. As per RSA Documentation, The Rivest-Shamir-Adleman public-key algorithm (RSA) is the most widely used asymmetric cipher. It derives its security from the difficulty of factoring large integers that are the product of two large primes of roughly equal size. Factoring is widely believed to be intractable (i.e., infeasible, admitting no efficient, polynomial-time solution), although this isn’t proven. RSA can be used for both encryption and signatures.
What is SSH key login ?
This is another method of authentication in which you do not require any password to be given for authentication. It will be based on private key authentication where you already have public key added to your server.
Passwordless SSH Login using SSH keygen
Also Read: How to Install or Enable ssh on ubuntu
Step 1: Prerequisites
Ubuntu 18.04: 192.168.0.105
CentOS 7: 192.168.0.106
Step 2: Create Authentication Keys using SSH keygen RSA
In the beginning you need to create a public/private key pair using rsa algorithm by running
ssh-keygen -t rsa command.
[root@localhost ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:8jmxYUbWNBkEKZzrn/gMoRYjYOWOaoNxfeBwn135edw root@localhost The key's randomart image is: +---[RSA 2048]----+ | . . ..+=o | | o + .o.o | |....o oo + | |..o= o.= . . o . | |..o.=.* S o o E| |oo . =.* = . | |oo o .o=. | |. .. .oo. | | .o | +----[SHA256]-----+
If you want to check all the cipher supported by ssh, you can check that by running
ssh -Q cipher command.
[root@localhost ~]# ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc email@example.com aes128-ctr aes192-ctr aes256-ctr firstname.lastname@example.org email@example.com firstname.lastname@example.org
If you want to check all the Key supported by ssh, you can check that by using
ssh -Q key command.
[root@localhost ~]# ssh -Q key ssh-ed25519 email@example.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org
Step 3: Create .ssh directory on remote Server
Now you need to create a hidden .ssh directory under user home directory in remote server using
ssh email@example.com mkdir -p .ssh command. Notice that here user home directory will be
/home/test directory under which .ssh directory will be created.
[root@localhost ~]# ssh firstname.lastname@example.org mkdir -p .ssh email@example.com's password:
You can go to remote server and verify if .ssh directory created under /home/test directory or not.
test@localhost:~$ pwd /home/test test@localhost:~$ ls -lrtd .ssh/ drwx------ 2 test test 4096 Jan 12 18:38 .ssh/
Step 4: Copy Public Key to remote Server SSH authorized_keys
Once .ssh directory created, now you need to copy your public key to a file known as
authorized_keys under .ssh directory in the remote server as shown below.
[root@localhost ~]# cat ~/.ssh/id_rsa.pub | ssh firstname.lastname@example.org 'cat >> .ssh/authorized_keys' email@example.com's password:
Step 5: Set SSH key Permissions on Remote Machine
Once public key is copied, you need to make sure appropriate permission are assigned to the file ssh authorized_keys.
[root@localhost ~]# ssh firstname.lastname@example.org "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
Step 6: Check passwordless ssh login authentication to Remote Server
Once permission is also changed, it is now time to test the ssh without password authentication. To do that run
ssh email@example.com command. Here you can notice that there is no password authentication now requires to connect to remote Server. You are directly login as test User to the remote machine.
[root@localhost ~]# ssh firstname.lastname@example.org Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-37-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Overheard at KubeCon: "microk8s.status just blew my mind". https://microk8s.io/docs/commands#microk8s.status * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 116 packages can be updated. 1 update is a security update. Your Hardware Enablement Stack (HWE) is supported until April 2023. Last login: Sun Jan 12 18:17:00 2020 from 192.168.0.106 test@localhost:~$
- ssh without password
- ssh password
- rsa login
- key login