This brief tutorial is going to show you how to log on to a SSH server without passwords using only SSH encryption keys. The reason you may want to do this is to enable more secured form of authenticating to your SSH enabled servers.
Using password authentication against SSH isn’t bad as long as the password is highly complicated and long beyond normal password strengths. But creating long and complicated passwords may also encourage you to write it down on a piece of paper or stored somewhere in an unsecured manner.
That’s why using encryption keys to authenticate SSH connection is a more secured alternative.
Passwords also stand the risk of being guessed or cracked. SSH authentication on the other hand makes it virtually impossible for anyone to brute force their way into your servers. So, if you need a more secured way to sign on to your SSH server, implement password-less authentication and enable SSH key exchange.
This simple tutorial is going to show you how to do it in CentOS.
The first thing is to verify if SSH is installed. If it’s not installed run the commands below to install SSH in CentOS.
yum -y install openssh-server
- Create the client private/public key pair
When you run the command to generate a public/private key pair, it creates two sets of encryption keys on the client computer. One is a private key and the other is its public key.
The private key always stays with the client. The public key is shared or copied to computers the client wishes to trust. Only by pairing the correct private and public keys of the client requesting access will authentication be allowed on the server.
If the server which has the client’s public key isn’t able to match or pair the correct private key submitted by the client with its public key stored on the server, the connection will be rejected.
So, lets create the client private/public key. To do that, run the commands below on the client computer.
ssh-keygen -t rsa
After running the above commands, you’ll be prompted to complete a series of tasks. The first will be where to save the keys, press Enter to choose the default location which is in a hidden .ssh folder of your home directory (/root/.ssh/).
The next prompt will be to Enter a passphrase. I personally leave this blank (just press enter) to continue. It will then create the key pair and you’re done.
After generating the keys, you will then to copy the client’s public key to the SSH server computer or host it wants to create trust relationship with.
- Copy the client public key to the SSH computer
After generating the key pair, you must copy the client computer public key to the SSH server host. The public key should be stored in the ~/.ssh/authorized_keys file on the server.
This file contains public keys of all clients that have sent or copied their keys to the server. The server uses to this file to match the public and private key pair.
To copy the client public to the server, run the commands below.
cat ~/.ssh/id_rsa.pub | ssh root@Server_IP_Address "cat >> ~/.ssh/authorized_keys"
Alternatively, you may run the below commands to copy the key from the client to the server.
ssh-copy-id user@server_ip_address or hostname
- Edit SSH file configuration to only allow key log on
Finally, go and edit SSH configuration file to only allow SSH key login and disable password login. It’s also known as password-less logon.
To do that, open the file using the commands below.
vi /etc/ssh/sshd_config
Then uncomment and change the lines to match the ones below. Make sure these lines are un-commented, meaning they don’t have the (#) before it.
PubkeyAuthentication yes
AuthorizedKeyFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
Save the file and reload SSH server by running the commands below.
service sshd reload
Now try accessing the SSH server and it shouldn’t prompt you to enter your password..
Enjoy!