How to SSH Login without Password using Public Keys

BoostThis, Administrator

What is SSH?

SSH is a secure protocol designed originally for secure data communication between hosts, remote command-line login and command execution. It’s the best way to securely connect to your Linux servers. The OpenSSH server uses two authentication methods, password authentication, the default method and public key authentication, which is an alternative and most secure way to connect to a Unix/Linux server.


What are public keys?

SSH keys allows password-less authentication between two different hosts, for this SSH Auth uses pair of keys, two private keys and one public key.

Requirements

OpenSSH client and server must be installed on both sides (machine a, the client, the one who connects to machine b, the server). If you don’t have openssh software installed, you can do it this way:

Fedora/CentOS/RHEL:

yum install openssh-serverapt-get install openssh-server

Ubuntu/Debian:

sudo apt-get install openssh-clientsudo apt-get install openssh-server

I will assume you have server A with IP 11.11.11.12 and the openssh server B has IP 11.11.11.13 assigned.


How can I setup public key authentication?

You must generate the ssh keys, let’s begin with the openssh client using the ssh-keygen command:

ssh-keygen


You’ll probably be prompted to enter a secure passphrase for your private key, hit ENTER and don’t setup that passphrase yet. It is recommended to use one, however on this case we will avoid that step. The output should be as you see below:

[testuser@boost ~]$ ssh-keygenGenerating public/private rsa key pair.


Enter file in which to save the key (/home/testuser/.ssh/id_rsa): Created directory '/home/testuser/.ssh'.

Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/testuser/.ssh/id_rsa.


Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.


This will generate two main files:


$HOME/.ssh/id_rsa - that contains your machine (client) private key.

$HOME/.ssh/id_rsa.pub - this file contains your public key.


As you saw, on this example we used the default RSA encription instead of DSA, if you want to generate a DSA key instead, you can specify using ‘-t dsa’ option:


ssh-keygen -t dsa


You can read this links to decide which one is best for your needs:


http://superuser.com/questions/13164/what-is-better-for-gpg-keys-rsa-or-dsa

http://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys



Copy the key to the remote OpenSSH server

On the openssh server machine, create the .ssh directory and set proper permissions:


mkdir -p $HOME/.ssh && chmod 0700 $HOME/.ssh


Then use rsync or scp to transfer the file into the remote location:

On the openssh client, run:


scp -P 22 $HOME/.ssh/id_rsa.pub user@11.11.11.13:/home/user/.ssh/authorized_keys


Important: 22 is the default port, but you can replace that with a custom ssh port if you have set one on the remote openssh server, “user” is the remote openssh server user, and “11.11.11.13” is the remote openssh server, also “/home/user/.ssh/” is the remote .ssh directory you created before, replace this values with your real user name, IP and path.


Other alternative to copy your public key is the following:

On the openssh client, run cat command:


cat $HOME/.ssh/id_rsa.pub


Copy the code you see since the first character, until the last character. Now, move to the remote openssh server, create a new file:


nano -w $HOME/.ssh/authorized_keys 


Paste the content you previously cut from id_rsa.pub file, then press CTRL + X and then Y.

Note: this alternative way will only work if you copy and past the exact characters from the beginning of the first line, until the last character, if you copy extra spaces or add other characters it may not work.

That’s all, now you should be able to login via ssh without passwords.

Testing SSH without passwords


Simply login to the server using ssh

ssh user@11.11.11.14


Replace user and 11.11.11.14 with the real user and remote IP. That should result in a password-less SSH login, example:

[testuser@boost ~]$ ssh user@11.11.11.13

Last login: Fri Jan 9 15:29:59 2015 from 200.XX.XX.XX

ALERT! You are entering a secured area!

Your IP and login information have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies.


[user@remote.server.com ~]$ 

Now you should be able to transfer files without passwords too, example using scp and rsync:


[testuser@boost ~]$ scp -P 22 $HOME/file.txt remoteuser@11.11.11.13:/home/remoteuser/file.txt 100% 387 0.4KB/s 00:00

[testuser@boost ~]$

[testuser@boost ~]$ rsync -avpr -e 'ssh -p 22' $HOME/file.txt remoteuser@11.11.11.13:/home/remoteuser/sending incremental file listfile2.txt

sent 495 bytes received 34 bytes 96.18 bytes/sectotal size is 387 speedup is 0.73

[testuser@boost ~]$