Pre-Shared Keys For SSH Login Without A Password

back to tech articles
CentOS 6, Mac OS X

This article is an excerpt taken from Secure SSH on CentOS 6 And RHEL.

If you’ve never used public and private keys before, you will LOVE this. A pre-shared key setup allows you to login to the server (via SSH) without the need for a password and (optionally) only allows access to those users who can display the valid key to the server. They are as close to bulletproof as it gets for SSH.

First, you will need a public/private key pair. Beginning on the client machine (your Mac, for example), do the following:

1
$ ssh-keygen -t rsa
[amazon_link asins=’B0088PUEPK’ template=’ProductAd’ store=’twincr-21′ marketplace=’UK’ link_id=’f3251244-dd29-11e7-ac96-6bc10fc03000′]

This will create two files in your (hidden) ~/.ssh directory: id_rsa and id_rsa.pub. The first (id_rsa) is your private key and the other (id_rsa.pub) is your public key.

If you don’t want to be asked for a passphrase (which is basically a password to unlock a given public key) each time you connect, just press enter when asked for a passphrase while creating the key pair. It is up to you to decide whether or not you should add the passphrase protective encryption to your key when you create it. Warning: If you don’t passphrase-protect your key, then anyone gaining access to your local machine will automatically have SSH access to the remote server!

Also, root on the local machine has access to your keys although one assumes that if you can’t trust root (or root is compromised) then you’re in real trouble. Encrypting the key adds additional security at the expense of eliminating the need for entering a password for the ssh server only to be replaced with entering a passphrase for the use of the key. This may be further simplified by the use of the ssh_agent program.

Now set permissions on your private key:

1
2
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa

Copy the public key (id_rsa.pub) to your server:

1
scp id_rsa.pub root@8.8.8.8:/home/admin/

Now login to the server (not shown) and add it to the authorized_keys list:

1
$ cat id_rsa.pub >> ~/.ssh/authorized_keys

Once you’ve imported the public key, you should delete it from the server. Now set the file permissions on the server:

1
2
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

The above permissions are required if StrictModes is set to yes in /etc/ssh/sshd_config. If you use SELinux (bad, bad, bad :)), ensure the correct SELinux contexts are set:

1
$ restorecon -Rv ~/.ssh

Now when you login to the server you won’t be prompted for a password (unless you entered a passphrase when you created your key pair). SSH will first try to authenticate using your key(s). If no keys are found or authentication fails, then SSH will attempt to use conventional password authentication.

I would NOT recommend it, but once you’ve checked you can successfully login to the server using your public/private key pair, you can disable password authentication altogether by adding the following line to your /etc/ssh/sshd_config file:

1
2
# Disable password authentication forcing use of keys
PasswordAuthentication no

The PasswordAuthentication no is very secure and probably a good idea on a production server, but you need to consider whether you will always login from a machine where your key is present.