This brief tutorial shows students and new users how to setup OpenSSH server for key authentication or password-less authentication. This setup allows users of the Ubuntu server to logon via SSH without typing passwords.
This is a much more secure alternative to SSH password authentication. With password authentication, each time a user wants to logon, he/she must always type a password. Another weakness is password can be guessed any anyone.
With key authentication, no password is ever typed. Only client computers with the correct matching key pair to the server are allowed.
To configure SSH with key authentication, follow the steps below:
Step 1: Generate a SSH Key for Each User
To logon via SSH key authentication, you must first generate a key pair. Two keys are created: one public and the other private. The private key must stay on the server and the public key shared with clients securely.
Login via SSH as the user you want to configure, then run the commands below to generate a SSH key pair.
ssh-keygen -t rsa
When prompted, press Enter to accept the default location to store the keys.. by default, it’s saved in the user’s home directory in the hidden .ssh folder.
richard@ubuntu1704:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/richard/.ssh/id_rsa): Enter Created directory '/home/richard/.ssh'. Enter passphrase (empty for no passphrase): Enter Enter same passphrase again: Enter Your identification has been saved in /home/richard/.ssh/id_rsa. Your public key has been saved in /home/richard/.ssh/id_rsa.pub.
Step 2: Share the Public Key with the Client PC
After creating the key pair above, a public key called id_rsa.pub will be stored in the ~/.ssh/. A folder also called authorized_keys will also be created in that directory. The SSH server looks in the ~/.ssh/authorized_keys for all authorized keys that can logon to the server.
So, run the commands below to move the public key created above into the ~/.ssh/authorized_keys file.
mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
After running the above commands, logon to the client computer.. hopefully another Linux machine and run the commands below to copy the public key to the client machine.
mkdir ~/.ssh scp richard@server_name:/home/richard/.ssh/id_rsa ~/.ssh/
The key should be copied to the client machine.
Step 3: Logon to SSH without Password
After getting the key to the client computer, logon to the server and open SSH default configuration file by running the commands below
sudo nano /etc/ssh/sshd_config
Then make the highlighted changes below and save the file.
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes #PermitEmptyPasswords no
Save the file and restart SSH
sudo systemctl restart ssh
Protect your keys.
On the server, run the commands below to protect the SSH keys.
chmod 600 ~/.ssh/authorized_keys
Now only clients with the matching key pair will be allowed onto the server. To connect, run the commands below replacing server_name with the original servers.
Will logon without typing a password.
If you can get the key to a Windows machine, you could use PuTTY to sign on automatically as well.
You may also like the post below: