Paswordless SSH using an SSH keypair

SSH overview #

SSH is a widely-used secure console connection to a remote linux server. It provides a text-only interface and spawns a remote shell in the server which is previously defined in the user creation process but it’s usually /bin/bash or /bin/sh.
After we successfully log into the server, we can execute system commands or custom scripts depending on the permission level we have.

In this post I’ll cover how to generate an SSH keypair so that we can connect to our server remotely without specifying a password every time.

SSH Keypair generation #

We have two options:

To generate the keypair using ssh-keygen we’ll use:

[marc@centos7 ~]$ ssh-keygen -t rsa -b 4096 -C "My Private Key"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/marc/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/marc/.ssh/id_rsa.
Your public key has been saved in /home/marc/.ssh/id_rsa.pub.
The key fingerprint is:
79:ab:1f:2f:68:f0:2e:3a:db:2d:67:2d:75:70:43:ae My Private Key
The key's randomart image is:
+--[ RSA 4096]----+
|                 |
|            .    |
|           o     |
|         .. +    |
|        S .+ .   |
|      .  .E..    |
|       o +o.     |
|    ..o.B.oo     |
|    o+.B+o...    |
+-----------------+

That will generate an RSA key of 4096 Bytes of lenght with the comment “My Private Key”. We’ll enter an empty passprhase (double enter) so it doesn’t prompt us for password each time we connect to a remote host. our resulting keys are:

Once we have our keypairs generated we need to see if our sshd_config in /etc/ssh has the AUthorizedKeysFile parameter set, if so:

[marc@centos7 ~]$ sudo grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile      .ssh/authorized_keys

Then we’ll copy our generated public key (~/.ssh/id_rsa.pub) to our ~/.ssh/authorized_keys (we can just cat the entire file to it) and set the permissions to 0600

[marc@centos7 ~]$ cat .ssh/id_rsa.pub >> .ssh/authorized_keys
[marc@centos7 ~]$ chmod 0600 .ssh/authorized_keys

Now, we have everything in place, so we can check if the passwordless authentication works connecting to our machine:

[marc@centos7 ~]$ ssh -i .ssh/id_rsa marc@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 08:55:7d:0d:bf:84:b7:61:f2:d8:46:d6:47:53:df:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Last login: Thu Dec  4 16:58:20 2014 from 10.0.2.2
[marc@centos7 ~]$ ll -a
total 24
drwx------. 5 marc marc 4096 Dec  4 16:57 .
drwxr-xr-x. 3 root root   17 Dec  2 00:25 ..
-rw-------. 1 marc marc   11 Dec  4 16:51 .bash_history
-rw-r--r--. 1 marc marc   18 Jun 10 06:31 .bash_logout
-rw-r--r--. 1 marc marc  193 Jun 10 06:31 .bash_profile
-rw-r--r--. 1 marc marc  231 Jun 10 06:31 .bashrc
drwxrwxr-x. 3 marc marc   17 Dec  4 16:16 .cache
drwxrwxr-x. 3 marc marc   17 Dec  4 16:16 .config
drwx------. 2 marc marc   76 Dec  4 17:32 .ssh
-rw-------. 1 marc marc  647 Dec  4 16:57 .viminfo

It will work from any machine that has the ~/.ssh/rsa_id file locally and if we wanted to connect from a Windows machine using putty, we would have to convert it to putty’s own .ppk format. To do so we need to download Puttygen and import the file from our local system (just cat the ~/.ssh/rsa_id file and copy its contents to a key.key file)

[marc@centos7 ~]$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY
...
KEY
...
-----END RSA PRIVATE KEY-----

Conversions -> Import key

PuttyGen.PNG

And don’t forget to change: “Key comment” to match our own “My Private Key”. Click save private key to save it to .ppk (ignore the warning when it tells you that you’re not using any passphrase to protect it).

To connect using our private Key we’ll have to open a putty session and select our key in Connection -> SSH -> Auth.

Putty.PNG

Then connect to our remote host (in my case it’s in the same machine)

Putty2.PNG

And… we’re all set! We’ll se that it automatically connects to our host without prompting us for a password

Putty3.PNG

This covers this mini-post about how to create a valid ssh keypair for our user in a remote server. If you liked it don’t forget to Kudos it :)

 
12
Kudos
 
12
Kudos

Now read this

Creating an automated CentOS 7 Install via Kickstart file

Since this article was written, I have moved to a new blog, to continue to follow my activity at http://www.marclop.com. This blogpost is available here in the updated format. require(["mojo/signup-forms/Loader"], function(L) {... Continue →