SSH login without password
We use SSH or Secure Shell to make connection between computers to execute commands. Username and password authentication is normally used to establish connection. With a good strong password, it’s secure enough to use SSH since everything is encrypted through SSH. In this article I’m going to show you how to SSH login without password or SSH Passwordless Login Using SSH Keygen by using private/public key-based authentication system. Key-based authentication is more convenient and secure than tradition password authentication since pair of ssh private/public key is encrypted with asymmetric cryptography.
Secure Shell keys are made of two keys: a private key, that must be kept secret, and a public key which can be uploaded to any computer you need to access a ssh server. Note: Keys can be used with a password (passphrase to be correct) or without one.
Generate Keys
SSH supports both RSA and DSA, there are differences between DSA and RSA, but for our purpose to encrypt and decrypt data for SSH (Secure Shell), it’s up to use what to choose. By default if you don’t defined which algorithm, ssh-keygen will create RSA. Your ssh private/public keys will be generated and saved to your home ~/.ssh directory.
Creating RSA Secure Shell Keys
RSA (Rivest-ShamirAdleman) algorithm is a cryptosystem, owned by RSA Security which similar to DSA is widely used to transmit date securely over networks or the Internet. The greatest benefit of using RSA is RSA uses asymmetric keys. Meaning that if you send an encrypted message, everyone can encrypt data for you to read by using public key, but only you have a private key (only you have it) which is required to decrypt the data.
1
|
$ ssh-keygen -t rsa
|
By default, ssh-keygen or ssh-keygen -t rsa will create a 2048 bit RSA key pair. For maximum security (over kill for our purpose), if you want you can increase the key to 4096 bit for RSA.
1
|
$ ssh-keygen -t rsa -b 4096
|
Just hit enter and don’t change the ssh keys location, if you don’t want ssh with password or passpharse, leave it empty. Output for ssh-keygen -t rsa:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
06:d6:75:38:d0:34:59:a8:33:10:06:ef:dd:9f:69:b8 user@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| ..o..++=o |
| o.. .*o |
| +... . |
| o o+. |
| . So. |
| . o o |
| . = |
| o |
| E |
+-----------------+
|
Creating DSA Secure Shell Keys
Similar to RSA, DSA is another algorithm which is developed by NSA or US. National Security Agency. DSA must meet US. government’s standard for digital signatures which is safe for SSH usage. DSA or Digital Signature Algorithm is based on discrete logarithm, which is a one way math problem. Means it’s easy to create one way math equation, but you can’t solve that equation another way around.
1
|
$ ssh-keygen -t dsa
|
Just hit enter and don’t change the ssh keys location, if you don’t want ssh with password or passpharse, leave it empty. Output for ssh-keygen -t dsa:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
ec:b9:b2:ca:80:62:a2:8c:9c:b3:34:c9:d5:2a:76:30 user@localhost
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . . |
| E . . S |
|..= . . . |
|+O.o o |
|@.=o . . |
|o=o o..o. |
+-----------------+
|
Key files permissions
Typical directories and files permission in Linux
Normal directories permission: 755 or (rwx r-x r-x)
- Owner has Read, Write and Execute
- Group has Read and Execute only
- Other has Read and Execute only
Normal files permission: 644 or (rw- r– r–)
- Owner has Read and Write
- Group has Read only
- Other has Read only
SSH private and public keys need stricter directories and files permission. Generally ssh private keys will be stored in user’s .ssh directory or ~/.ssh/. You will want 700 for ~/.ssh/ directory and 600 for private key, and 644 public key. You don’t need change public key permission since it has default linux file permission.
~/.ssh/ directory permission: 700 or (rwx — —)
- Owner has Read, Write and Execute
- Group has no rights
- Other has no rights
Private key files permission: 600 or (rw- — —)
- Owner has Read and Write
- Group has no rights
- Other has no rights
To change ~/.ssh/ directory and private keys permission
1
2
|
$ chmod 700 ~/.ssh/
$ chmod g-w ~/
|
For DSA private key
1
|
$ chmod 600 ~/.ssh/id_dsa
|
For RSA private key
1
|
$ chmod 600 ~/.ssh/id_rsa
|
You might get error like this if you have not set your ~/.ssh/ directory and private/public key correctly.
1
|
Authentication refused: bad ownership or modes for directory /home/user
|
or
1
2
3
4
5
6
7
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_dsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/user/.ssh/id_dsa
|
For authorized_keys on remote host
1
|
$ chmod 600 ~/.ssh/authorized_keys
|
You might get error like this if you have not set your authorized_keys files correctly.
1
|
ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
|
Copy public key to the SSH server
Now you should have your SSH public and private keys. You will need to copy your public key to the remote ssh server which you want to login without a password :) There are two ways to do it, the hard way (manual copy) or the easy way by using ssh-copy-id command. I will show you how both ways in this article.
Manual way or Geek way
Depends on what key type you generated DSA or RSA, the ssh public key should look like id_dsa.pub or id_rsa.pub. Basically you need to copy the content of the public key on your local machine to the remote ssh server.
Copy the public key content in your local machine
Change directory to /.ssh/ directory
1
|
$ cd ~/.ssh/
|
View DSA public key
1
|
$ cat id_dsa.pub
|
View RSA public key
1
|
$ cat id_rsa.pub
|
Sample ssh RSA public key
1
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMmxymfUF8WCvJf87eQo3TFUxX9lqNrErrPdcZauK8+IJ3vAZxQ6UwlzifHUoFN8d0s0x32ILuuI94PTc+5PyrImDalRtBYpFDbFxggxcAxfy2Bd36jFpSon2YWOLBkT9Keb/8ggSJRPffgCUUqCJCB9P6nUDXMbDBVZ0yIX3oJKqRsLKCglR4LL//h8lY4jmOduMjHoi5x8KDSL6m6Uz7IzSKPdGiIZLbe5T4gxbxtq8GfcjYz6Gj/98yIln5GPMSB9jEZy2RNoip9grd/RYKu/dMTZTJPNTiHqUnRolOvS7d5QK7SA9H0a+a0bv0igBnpguyR1Ks7cSL04E7AfQn user@localhost
|
You should be able to view the ssh public key, copy full content of the file to a text editor for temporary.
Next, login to the remote ssh server with your username and password, yes the old way :)
1
|
$ ssh -p 22 user@remotesshhost
|
You wil need to create authorized_keys in ~/.ssh/ directory on the remote ssh server. In the remote ssh server
1
2
|
$ cd ~/.ssh/
$ nano authorized_keys
|
Copy and save the content of the ssh public key from your local machine which I told you to copy it to text editor to authorized_keys file on remote ssh remote server.
Ease way or lazy way
I’m going to reveal the secret Linux Command which help you to copies localhost ssh public key and install to the remote machine’s authorized_keys file. Please don’t tell this secret to anyone or the world will be doomed. In your local machine, type in:
1
|
$ ssh-copy-id -i user@remote-host
|
You will be asked to type your password of the user at the remote-host once to copy/import id_rsa.pub file from your localhost to remote-host. It’s fast and easy, isn’t it?
There is also another secret Linux Command to perform same function as ssh-copy-id if you want to know
For RSA ssh public key
1
|
cat ~/.ssh/id_rsa.pub | ssh user@remote-host 'cat >> .ssh/authorized_keys'
|
For DSA ssh public key
1
|
cat ~/.ssh/id_dsa.pub | ssh user@remote-host 'cat >> .ssh/authorized_keys'
|
Configure SSH server to accept key authentication
We have everything almost ready to go, the last but not least is to configure ssh server to accept private/public key authentication.
Open sshd_config file
1
2
3
|
$ sudo -
<h1>nano /etc/ssh/sshd_config</h1>
|
Search for
1
2
3
|
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
|
Make sure that two lines are not commented( hash # sign in-front of the line), if you see # or hash sign in-front of that two line, remove the # or hash sign, and yes answer after RSAAuthentication and PubkeyAuthentication. Save and restart your ssh server.
1
|
# service sshd restart
|
or
1
|
# /etc/init.d/ssh restart
|
Login to SSH server without password
Everything is set to go, you should be able to login to your remote ssh server without password (if you didn’t set passphrase when you generate ssh keys).
1
2
|
$ ssh user@remotesshhost
$ ssh -i ~/.ssh/id_rsa user@remotesshhost
|
or if you copied/saved your private key to different location, you can use
1
2
|
$ ssh -i /home/user/whateverdirectory/id_rsa user@remotesshhost
$ ssh -i /home/user/whateverdirectory/id_dsa user@remotesshhost
|
Changing your passphrase
If you have decided to use passphrase for extra layer of security for ssh private key, in case if you want to change your passphrase later on, you can use -p option with ssh-keygen to change passphrase of private key file.
1
|
$ ssh-keygen -p
|
Don’t forget to use -p at the end of ssh-keygen, if you don’t use -p option, ssh-keygen command will generate a new pair of public/private ssh key again over your old keys (you will be asked before anything was overwritten), and your old public/private key will be useless.
By changing your passphrase of your private key does not affect your public key, means you don’t need to do anything with our old public key, but you will get a new private key with new private passphrase.
Convert ssh key to putty ppk private key
By any chance if you need to use putty on a windows machine to login your remote ssh server, you have to convert your private ssh key generated in linux to putty private key ppk format. On your windows machine, download PuTTY Key Generator, it’s called PuTTYgen: puttygen.exe
After downloading PuTTY Key Generator, run puttygen.exe file. To convert linux private ssh key to putty ppk private key, go to Conversions, it’s on the top bar. Then choose Import key, locate your linux ssh private key. You will something like the picture below.
In Parameters section, depends on what type of your private key, dsa or rsa, choose SSH-2 RSA or SSH-2 DSA accordingly. After PuTTY Key Generator imported/loaded your linux ssh private key, choose Save private key
(I used passphrase for my keys, if you didn’t use passphrase, you should not see *****)
SSH login without password using PuTTY
Putty is a free telnet/ssh client, you can use PuTTY to login with password or with private/public ssh key. After you you converted your id_rsa or id_dsa private key to putty ppk format, you can use that .ppk file to login to your remote ssh server without typing password.
First, start your putty.exe, you can se Host name (or IP adress) and Port text box. Type in your SSH server host name or address, and your ssh server port.
Next, on the left hand size, you should see Category, under Connection, go to SSH, then Auth. Click on Browse to locate your putty ppk private key. After that click on open to start your ssh session. You will be asked for your ssh username, if you have your public/private ssh key set up correctly, you won’t be asked for password.
Create a public SSH key from private key
In case you lose your public key in the remote ssh server for any reason, you can recreate public key from your old private key by using -y option with ssh-keygen command
1
2
|
-y This option will read a private OpenSSH format file and print an
OpenSSH public key to stdout.
|
For private RSA key
1
|
$ ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub
|
For private DSA key
1
$ ssh-keygen -f ~/.ssh/id_dsa -y > ~/.ssh/id_dsa.pub
1
|
$ ssh-keygen -f ~/.ssh/id_dsa -y > ~/.ssh/id_dsa.pub
|
Note:
- If you see
1
2
|
Agent admitted failure to sign using the key.
Permission denied (publickey).
|
It means ssh-agent does not recognize the newly generated ssh key yet. Logout and login your current ssh session, or use this command
1
|
$ ssh-add
|
- To add another layer of protection with your public/private key, use passphrase. You still need your private key to login but with a passphrase (password).
- you can copy your private key (id_dsa or id_rsa) to your usb flash drive, and use your private key to login to your remote ssh server anywhere you go.
- You can also generate public / private ssh key by using PuTTY Key Generator, I will show you how in another article.
- I found some great videos about DSA and RSA algorithm if you really want to understand more about them.
- If you have configured everything but still being asked for password, the remote server might have SELinux (Security-Enhanced Linux) enabled. You can check if SELinux is enabled or not by using1# getenforceor1# sestatusIf SELinux is enabled or enforcing, you can disable it by using this command1# setenforce 0
- If you use putty and get the error:1server refused our keyMake sure you set the right permissions for authorized_keys file and .ssh directory
1
2
|
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/authorized_keys
|
No comments:
Post a Comment