This comprehensive Linux guide expects that you run the following commands as root user but if you decide to run the commands as a different user then ensure that the user has
sudoaccess and that you precede each of the privileged commands withsudo
Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are passwords based authentication and public key based authentication.
To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file.
Check For Existing Key Pair
Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys.
To check the existing SSH key pair, run the following command
root@codesposts~$ ls -al ~/.ssh/id_*.pub If you see No such file or directory or no matches found it means that you do not have an SSH key.
Generate Authentication Key Pair
You can general authentication key pair by running the ssh-keygen command.
root@codesposts:~$ ssh-keygen -t rsaThe option -t stands for the type. This command will generate a RSA type key pair.
Setting The Key Length Manually
By default the key is 2048 bits long, if you prefer stronger security then you can specify a 4096 bits key like below.
root@codesposts:~$ ssh-keygen -t rsa -b 4096 Next, the ssh-keygen tool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use passphrase just press Enter
Enter passphrase (empty for no passphrase):Verification Of The Key Pair
To be sure that the SSH keys are generated you can list your new private and public keys using the following command
root@codesposts:~$ ls ~/.ssh/id_*
/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pubCopy Your Public Key To Remote Linux Server
Use the ssh-copy-id command to install the public half of the newly-generated authentication key into a specific user’s home directory on the remote host. Run the following command on your terminal
root@codesposts:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote-host-name
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@remote-host-name's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user@remote-host-name'"
and check to make sure that only the key(s) you wanted were added.If the openssh-client is not installed on your system, you would not be able to run the ssh-copy-id command. If that’s the case, you can us the following command:
root@codesposts:~$ cat ~/.ssh/id_rsa.pub | ssh user@remote-host-name "cat >> ~/.ssh/authorized_keys"Login To SSH Server
The public key is stored in .ssh/authorized_keys file under the remote user’s home directory. Now ssh into the remote server
root@codesposts:~$ ssh user@remote-host-nameDisabling Password Authentication
Although SSH key is now used by default to log into your server, you can still use normal password to login on another machine. You don’t want hackers using brute force method to hack into your server.
To disable password authentication, edit /etc/ssh/sshd_config file on the remote server.
root@codesposts:~$ nano /etc/ssh/sshd_configFind this line:
#PasswordAuthentication yesChange it to:
PasswordAuthentication noThen find this line
ChallengeResponseAuthentication noIf it’s value is yes, change it to no. Otherwise you will still be asked for the password authentication.
Save the file and exit.
Then run the following command:
root@codesposts:~$ service ssh restart
OR
root@codesposts:~$ systemctl restart sshChecking The Correct Permissions
If the above steps were followed and you are still being prompted with the password, inspect the permissions on both the local and remote user’s files. The permissions of the directories should be exactly as show below.
-
drwx------. 25 oracle oinstall 4096 July 21 11:01 /home/oracle/ drwx------. 2 oracle oinstall 4096 July 17 13:13 /home/oracle/.ssh -rw-------. 1 oracle oinstall 420 July 17 13:13 /home/oracle/.ssh/authorized_keys
If the permissions are not as show abover, set them correct using the following command:
root@codesposts:~$ chmod 600 ~/.ssh/authorized_keys
root@codesposts:~$ chmod 700 ~/.ssh/Then restart the services
root@codesposts:~$ service sshd restartDisabling SElinux
SELinux can also potentially prevent sshd from accessing the ~/.ssh directory on the server. This problem can be ruled out (or resolved) by running restorecon as follows on the remote user’s ~/.ssh directory:
root@codesposts:~$ restorecon -Rv ~/.sshBacking Up Your Public/Private Key
Once you disable SSH password authentication, it is very important to back up your ssh keys. If you lose the keys you will be locked out of your server. Back up your public/private keypair to a safe location such as your USB drive.
root@codesposts:~$ cp ~/.ssh/id_rsa* /path/to/backup/location/You can copy the key pair to a new Linux computer and ssh into your server using ssh keys. Once you copied the key pair to a new computer, you need to change the owner of the key pair to the user on the new computer.
chown new-user:new-user id_rsa* And then move them to .ssh/ directory of the new user.
root@codesposts:~$ mv id_rsa* ~/.ssh/Changing Private Key Passphrase
If you want to change your private key passphrase, you can run the following command:
root@codesposts:~$ ssh-keygen -f ~/.ssh/id_rsa -pYou will be asked for your old passphrase and then the new passphrase.
