Are you tired of typing passwords each time you logon to your OpenSSH sessions on your Ubuntu servers? The steps below can help you setup SSH key authentication where you never have to type a password again, (Password less)..
If you’re reading this post then you probably know a thing or two about OpenSSH. Without going into too much details, SSH, which is an acronym for Secure Shell, is a communication protocol that allows for secure communication between networked computers.
Prior to SSH, the most common way one could connect to a remote terminal was via Telnet programs. Telnet provided a means to connect to remote servers but didn’t do it securely.
OpenSSH is now the primary means to remotely connect to your terminal sessions and manage your servers… the steps below show you how to configure SSH to only allow key as means of authentications..
To get started, continue below:
Step 1: Install Secure SHell on Ubuntu 16.04 Server
Before clients computer can connect via SSH protocol, you must first install it on the server… to do that on Ubuntu, run the commands below
sudo apt-get update sudo apt-get -y install openssh-server
After installing it, run the commands below to start if it’s not already started…
sudo systemctl start ssh
Step 2: Generate the Client’s SSH Key Linux Machines
Now that SSH server is installed, logon to the client computer that you’ll be using to access the server and run the commands below to generate a RSA key pair for the client machine.
ssh-keygen -t rsa
After running the above command, you’ll see similar prompts below. Complete the prompts as highlighted below…
Generating public/private rsa key pair. Enter file in which to save the key (/home/richard/.ssh/id_rsa): Press Enter Created directory '/home/richard/.ssh'. Enter passphrase (empty for no passphrase):Press Enter Enter same passphrase again:Press Enter Your identification has been saved in /home/richard/.ssh/id_rsa. Your public key has been saved in /home/richard/.ssh/id_rsa.pub. The key fingerprint is:Press Enter SHA256:l6lb+u65p9CHd3IhGFL5kLTdOyC/tzmiq12JauWfvJo [email protected] The key's randomart image is: +---[RSA 2048]----+ | .oo | | .+o . | | . +oo . | | . B.. . | | S = o + | | +.o + o | | oo= B + | | .B.Bo*.o | | .==EO=oo. | +----[SHA256]-----+
With the above command, an SSH client key pair will be created and saved in the highlighted directory of your home folder.
Step 3: Copy the client SSH key to the server.
To enable password-less SSH authentication, copy the client’s public SSH key to the server’s keystore. The client’s public key exported to the server will be used for authentication instead of passwords. This provides better security than password authentication.
To copy the client public SSH key to the server, follow the format below.. for example.. to copy user account called richard public SSH key to the server, run this.. the account named richard should already be created on the server and able to connect via SSH using passwords..
ssh-copy-id [email protected]
Replace richard with an account name on the server and use the server IP or hostname to connect.
[Richard.PenguinPC] ➤ ssh-copy-id [email protected] Permanently added '192.168.6.129' (ECDSA) to the list of known hosts. [email protected]'s password:
After the client’ public key has been uploaded to the server, go and configure the SSH server to never allow password to sign on. Only clients with their public keys stored on the server will be allowed.
Below is what you’ll see after a successful key transfer to the server…
INFO: Source of key(s) to be installed: "/home/richard/.ssh/id_rsa.pub" The authenticity of host '192.168.43.133 (192.168.43.133)' can't be established. ECDSA key fingerprint is SHA256:ZQUOMiT7a13GoalwFmeOqlO2K3rotKLcsoljV8UBOy4. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password:type richard password on the server Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
For hackers to gain access to your server, they must already have their clients’ public SSH keys on the server which will be very difficult to do if the clients can’t connect in the first place.
Step 4: Configuring openSSH server
Finally, open openSSH server configuration file and make the following highlighted changes
sudo nano /etc/ssh/sshd_config
Make the highlighted changes as shown below:
# Authentication: LoginGraceTime 120 PermitRootLogin prohibit-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no
After the changes above, save the file and restart SSH.
sudo systemctl restart ssh
Now, try to login from the client computer and you will be automatically logged in using the client’s SSH key.
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-109-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Tue Jan 16 07:16:38 2018 from 192.168.43.1 [email protected]:~$
You should automatically login without typing a password. That’s it!
When you attempt to logon from client whose keys not already installed on the server, you’ll see a message below:
You may also like this post: