Paswordless SSH using an SSH keypair
SSH overview #
SSH is a widely-used secure console connection to a remote linux server. It provides a text-only interface and spawns a remote shell in the server which is previously defined in the user creation process but it’s usually /bin/bash or /bin/sh.
After we successfully log into the server, we can execute system commands or custom scripts depending on the permission level we have.
In this post I’ll cover how to generate an SSH keypair so that we can connect to our server remotely without specifying a password every time.
SSH Keypair generation #
We have two options:
- Create an SSH Keypair using Puttygen on windows
- Create an ssh using openssl (ssh-keygen) on our remote server and then copying it to our local computer and convert it to a Putty .ppk file if necessary.
To generate the keypair using ssh-keygen we’ll use:
[marc@centos7 ~]$ ssh-keygen -t rsa -b 4096 -C "My Private Key" Generating public/private rsa key pair. Enter file in which to save the key (/home/marc/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/marc/.ssh/id_rsa. Your public key has been saved in /home/marc/.ssh/id_rsa.pub. The key fingerprint is: 79:ab:1f:2f:68:f0:2e:3a:db:2d:67:2d:75:70:43:ae My Private Key The key's randomart image is: +--[ RSA 4096]----+ | | | . | | o | | .. + | | S .+ . | | . .E.. | | o +o. | | ..o.B.oo | | o+.B+o... | +-----------------+
That will generate an RSA key of 4096 Bytes of lenght with the comment “My Private Key”. We’ll enter an empty passprhase (double enter) so it doesn’t prompt us for password each time we connect to a remote host. our resulting keys are:
- Private Key: ~/.ssh/id_rsa
- Public Key: ~/.ssh/id_rsa.pub
Once we have our keypairs generated we need to see if our sshd_config in /etc/ssh has the AUthorizedKeysFile parameter set, if so:
[marc@centos7 ~]$ sudo grep AuthorizedKeysFile /etc/ssh/sshd_config AuthorizedKeysFile .ssh/authorized_keys
Then we’ll copy our generated public key (~/.ssh/id_rsa.pub) to our ~/.ssh/authorized_keys (we can just cat the entire file to it) and set the permissions to 0600
[marc@centos7 ~]$ cat .ssh/id_rsa.pub >> .ssh/authorized_keys [marc@centos7 ~]$ chmod 0600 .ssh/authorized_keys
Now, we have everything in place, so we can check if the passwordless authentication works connecting to our machine:
[marc@centos7 ~]$ ssh -i .ssh/id_rsa firstname.lastname@example.org The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is 08:55:7d:0d:bf:84:b7:61:f2:d8:46:d6:47:53:df:9b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. Last login: Thu Dec 4 16:58:20 2014 from 10.0.2.2 [marc@centos7 ~]$ ll -a total 24 drwx------. 5 marc marc 4096 Dec 4 16:57 . drwxr-xr-x. 3 root root 17 Dec 2 00:25 .. -rw-------. 1 marc marc 11 Dec 4 16:51 .bash_history -rw-r--r--. 1 marc marc 18 Jun 10 06:31 .bash_logout -rw-r--r--. 1 marc marc 193 Jun 10 06:31 .bash_profile -rw-r--r--. 1 marc marc 231 Jun 10 06:31 .bashrc drwxrwxr-x. 3 marc marc 17 Dec 4 16:16 .cache drwxrwxr-x. 3 marc marc 17 Dec 4 16:16 .config drwx------. 2 marc marc 76 Dec 4 17:32 .ssh -rw-------. 1 marc marc 647 Dec 4 16:57 .viminfo
It will work from any machine that has the ~/.ssh/rsa_id file locally and if we wanted to connect from a Windows machine using putty, we would have to convert it to putty’s own .ppk format. To do so we need to download Puttygen and import the file from our local system (just cat the ~/.ssh/rsa_id file and copy its contents to a key.key file)
[marc@centos7 ~]$ cat .ssh/id_rsa -----BEGIN RSA PRIVATE KEY ... KEY ... -----END RSA PRIVATE KEY-----
Conversions -> Import key
And don’t forget to change: “Key comment” to match our own “My Private Key”. Click save private key to save it to .ppk (ignore the warning when it tells you that you’re not using any passphrase to protect it).
To connect using our private Key we’ll have to open a putty session and select our key in Connection -> SSH -> Auth.
Then connect to our remote host (in my case it’s in the same machine)
And… we’re all set! We’ll se that it automatically connects to our host without prompting us for a password
This covers this mini-post about how to create a valid ssh keypair for our user in a remote server. If you liked it don’t forget to Kudos it :)