Lesson 41: Logon to Ubuntu via SSH Without Passwords

Student lesson 41 assignment: How do you logon to Ubuntu SSH server without passwords?

If you’re reading this post then you probably know a thing or two about SSH. Without going into too much details, SSH, which is an acronym for Secure Shell, is a communication protocol that allows for secure communication between networked computers.

Prior to SSH, the most common way one could connect to a remote terminal was via Telnet programs. Telnet provided a means to connect to remote servers but didn’t do it securely.

Professionals with the right tool could intercept Telnet communications and gather sensitive information like passwords.

Unlike like Telnet, SSH was designed and created to provide optimal security when accessing remote servers.

To access an SSH server, by default one always have to type a username and password. This is great, however, to increase the security of your SSH server, you should enable password-less authentication.

This tutorial is going to show you how to easily do that with Ubuntu servers.

Installing Secure SHell on Ubuntu

To install open ssh server on Ubuntu systems, run the commands below.

sudo apt-get update
sudo apt-get -y install openssh-server

After installing it, run the commands below to start it.

sudo systemctl start ssh

Generating the client’s SSH Key

Now that SSH server is installed, logon to the client computer that you’ll be using to access the server and run the commands below to generate a RSA key pair for the client machine.

ssh-keygen -t rsa

After running the above command, you’ll see similar message below. Do not create passphrase (leave empty and press enter)

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): Press Enter
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): Press Enter
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XCsSFmsVm9HK2gd2j0ouZjSIId3bw6m+q7PA2VhyQp4 root@UbuntuVM
The key's randomart image is:
+---[RSA 2048]----+
|      . +o       |
|       + +.      |
| o .  =.o..      |
|+ + .o o=...     |
| E = =.=So.o     |
|. X o O.o.o .    |
|.+ . o = o       |
| .. . + o        |
|  o=+= .         |
+----[SHA256]-----+

With the above command, an SSH client key pair will be created and saved in the highlighted directory of your home folder.

Copying the client SSH key to the server.

To enable password-less SSH authentication, copy the client’s public SSH key to the server’s keystore. The client’s public key stored on the server will be used for authentication instead of password. This provides better security than password authentication.

To copy the client public SSH key to the server, run the commands below.

ssh-copy-id your_username@your_server-IP

Replace your_username with an account name on the server and use the server IP or hostname to connect.

[Richard.PenguinPC] ➤ ssh-copy-id richard@192.168.6.129
Permanently added '192.168.6.129' (ECDSA) to the list of known hosts.
richard@192.168.6.129's password:

After the client’ public key has been uploaded to the server, go an configure the SSH server to never allow password to sign on. Only clients with their public keys stored on the server will be allowed.

For hackers to gain access to your server, they must already have their clients’ public SSH keys on the server which will be very difficult to do if the clients can’t connect in the first place.

Configuring openSSH server

Finally, open openSSH server configuration file and make the following highlighted changes

sudo nano /etc/ssh/sshd_config

Make the highlighted changes as shown below:

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

After the changes above, save the file and restart SSH.

sudo systemctl restart ssh

Now, try to login from the client computer and you will be automatically logged in using the client’s SSH key.

ssh username@server_IP

[Richard.PenguinPC] ➤ ssh richard@192.168.6.129
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

12 packages can be updated.
11 updates are security updates.

You should automatically login without typing a password. That’s it!

Enjoy!

You may also like this post:

Lesson 39:Configure HTTP Strict Transport Security (HSTS) on Apache2

Tags: