No Passwords: SSH Authentication Using Authentication Keys
by AndrzejL
It would drive me bananas if I would have to remember password for each and every of my shell accounts… leaving the account with no password is unacceptable however from the security point of view. Solution? Use authentication keys – public and private.
How to get them? Its very easy.
Open terminal on Your local machine.
Use command:
ssh-keygen -t rsa
When asked for:
Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):
Press [ENTER].
Enter passphrase (empty for no passphrase)
Press [ENTER].
Enter same passphrase again:
Press [ENTER].
[mylogin@myhostname ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):
Created directory '/home/mylogin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mylogin/.ssh/id_rsa.
Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:7b mylogin@myhostname.local
The key's randomart image is:
+--[ RSA 2048]----+
RANDOM ART
BLAH
BLAH
+-----------------+
[mylogin@myhostname ~]$
So, what did you do so far? You have generated a pair of authenticating keys. Private, which is for your eyes only, and public, which can be shown to anyone.
The keys are placed in those two files:
Your identification has been saved in /home/mylogin/.ssh/id_rsa. <<< PRIVATE KEY
Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub. <<< PUBLIC KEY
Run this command:
cat /home/mylogin/.ssh/id_rsa.pub
Lets say it spits out this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local
Now copy this ^^^ ENTIRE line.
Now that You have generated authentication keys and copied the public one – You have to place the public key in a file on the remote machine. Not just any file. Its a specific file in a specific folder both with a specific permissions.
Open new terminal. Ssh Yourself to the remotemachine.net
ssh -l mylogin remotemachine.net
Create directory in .ssh in Your home folder
mkdir ~/.ssh
Give it correct permissions:
chmod 700 ~/.ssh
Create file authorized_keys in the newly created directory
touch ~/.ssh/authorized_keys
Give it correct permissions:
chmod 600 ~/.ssh/authorized_keys
Paste the content previously copied from the cat /home/mylogin/.ssh/id_rsa.pub command combined with
echo "PASTE" > ~/.ssh/authorized_keys
Example:
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local" > ~/.ssh/authorized_keys
Logout from the remote machine:
exit
Log back in.
ssh -l mylogin remotemachine.net
Remote ssh server shouldn’t ask for a password. If it does – You messed up and You are reading it all tagged as FAIL!
You can use 1 private key to connect to multiple servers. Just copy the public key to all of them like I explained above. Permissions are crucial. 700 for the .ssh folder and 600 for the authorized_keys file. 99% of errors are connected to the wrong permissions of the folder / file or due to the wrong file name.