No Passwords: SSH Authentication Using Authentication Keys


by AndrzejL

It would drive me bananas if I would have to remember password for each and every of my shell accounts… leaving the account with no password is unacceptable however from the security point of view. Solution? Use authentication keys – public and private.

How to get them? Its very easy.

Open terminal on Your local machine.

Use command:

ssh-keygen -t rsa

When asked for:

Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):

Press [ENTER].

Enter passphrase (empty for no passphrase)

Press [ENTER].

Enter same passphrase again:

Press [ENTER].

[mylogin@myhostname ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):

Created directory '/home/mylogin/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/mylogin/.ssh/id_rsa.

Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub.

The key fingerprint is:

xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:7b mylogin@myhostname.local

The key's randomart image is:

+--[ RSA 2048]----+

RANDOM ART

BLAH

BLAH

+-----------------+

[mylogin@myhostname ~]$

So, what did you do so far? You have generated a pair of authenticating keys. Private, which is for your eyes only, and public, which can be shown to anyone.

The keys are placed in those two files:

Your identification has been saved in /home/mylogin/.ssh/id_rsa. <<< PRIVATE KEY

Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub. <<< PUBLIC KEY

Run this command:

cat /home/mylogin/.ssh/id_rsa.pub

Lets say it spits out this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local

Now copy this ^^^ ENTIRE line.

Now that You have generated authentication keys and copied the public one – You have to place the public key in a file on the remote machine. Not just any file. Its a specific file in a specific folder both with a specific permissions.

Open new terminal. Ssh Yourself to the remotemachine.net

ssh -l mylogin remotemachine.net

Create directory in .ssh in Your home folder

mkdir ~/.ssh

Give it correct permissions:

chmod 700 ~/.ssh

Create file authorized_keys in the newly created directory

touch ~/.ssh/authorized_keys

Give it correct permissions:

chmod 600 ~/.ssh/authorized_keys

Paste the content previously copied from the cat /home/mylogin/.ssh/id_rsa.pub command combined with

echo "PASTE" > ~/.ssh/authorized_keys

Example:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local" > ~/.ssh/authorized_keys

Logout from the remote machine:

exit

Log back in.

ssh -l mylogin remotemachine.net

Remote ssh server shouldn’t ask for a password. If it does – You messed up and You are reading it all tagged as FAIL!

You can use 1 private key to connect to multiple servers. Just copy the public key to all of them like I explained above. Permissions are crucial. 700 for the .ssh folder and 600 for the authorized_keys file. 99% of errors are connected to the wrong permissions of the folder / file or due to the wrong file name.