As you may know, Secure Shell, aka SSH, is a cryptographic network protocol that can be used to access the text-based remote machines in a secure way. Using SSH, we can access the remote system’s command-prompt and run commands without having to physically access them. Also, we can transfer files between remote and local systems securely using Secure Copy (SCP) protocol.
This tutorial describes how to configure Passwordless SSH login in Linux. We can do this in two methods.
Why password-less SSH login is matters?
Simple. To increase security, automate tasks and reduce the chances of being hacked. Passwords might be easily guessed or cracked by hackers, or you might forget it if it’s a long and complex password, or you don’t want to save the passwords in an unsecured place.
In password-less SSH login method, we’re going to exchange encrypted keys instead of entering the actual password while connecting to the remote systems using SSH. So, nobody can easily hack or guess our password, because we don’t use passwords anymore to access the remote systems. And, more importantly hidden key-loggers and brute-force attacks doesn’t workout for the prying eyes if we use Password-less SSH login attempts.
Here, we’ll be using two systems.
- Local system’s IP address: 192.168.1.200/24
- Local system’s OS: Ubuntu 14.04 LTS
- Remote system’s IP address: 192.168.1.150/24
- Remote system’s OS: CentOS 7
First, open Terminal and run the following command to generate pair of private and public keys in your local system. In our case, my local system is Ubuntu 14.04 LTS.
Run the following command to generate encrypted keys.
ssh-keygen -t rsa
Generating public/private rsa key pair. Enter file in which to save the key (/home/sk/.ssh/id_rsa): ## Press Enter Enter passphrase (empty for no passphrase): ## Enter Passphrase Enter same passphrase again: ## Re-enter Passphrase Your identification has been saved in /home/sk/.ssh/id_rsa. Your public key has been saved in /home/sk/.ssh/id_rsa.pub. The key fingerprint is: e4:6d:fc:7b:6b:d4:0c:04:72:7e:ae:c4:16:f3:13:d1 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | . o... | | + ..E| | . +.o | | o o . *.. | | S + + ++ | | . + ...o| | o. | | .o | | .o.. | +-----------------+
The key files will be stored under your /home directory. In our case, the keys are stored in /home/sk/.ssh/ directory. The above command will create two keys. One is private, and another is public key. The private key should stay in the local system itself, you don’t have to transfer it to the remote systems. The public key should be transferred to the remote systems that you want to access from the local system. If the both keys does match with each other while authenticating, the local system will be able to access the remote system. If both private and public key pairs doesn’t match, the authentication will not be allowed.
Also, it is important to know that, you can’t use the same pair of keys for different systems. Each system’s keys are different and unique.
Now, copy the public key file to your remote system.
ssh-copy-id -i /home/sk/.ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh [email protected]'" and check to make sure that only the key(s) you wanted were added.
Here, 192.168.1.150 is my remote system’s IP (CentOS 7). ‘sk’ is my remote system’s username.
Now, ssh to your remote as shown here.
You will be able to access the remote system without having to enter the password.
In case, ‘ssh’ version is different in local and remote systems, you need to set permissions for ‘.ssh’ directory of your remote system.
To do that, run the following command:
ssh [email protected] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
Now, you can ssh to your remote systems without any issues.
If you still can’t ssh to remote systems for some reasons, go to your remote system, which is CentOS 7 in our case, and enable SSH key authentication.
To do that, edit the following file:
Find, uncomment and change the following lines as shown below.
PubkeyAuthentication yes AuthorizedKeyFile .ssh/authorized_keys ChallengeResponseAuthentication no
Save and close the file. Restart ssh service using command:
systemctl restart sshd
On CentOS 6.x systems:
service sshd restart
Now, head back to the local system and try logging into the remote machine, with command:
Sometimes you might end up with the following error while ssh to the remote systems.
Agent admitted failure to sign using the key.
To resolve it, run the following command in your local system.
Enter the correct passphrase that you have created earlier.
Enter passphrase for /home/sk/.ssh/id_rsa:
Identity added: /home/sk/.ssh/id_rsa (/home/sk/.ssh/id_rsa)
ssh-add command will add private key identities to the authentication agent.
This method is much simpler than the first method, but not that safe compared to it. In this method, we will not store the password or exchange the keys between local and remote systems. Instead, we are going to use the “password” as part of the command.
In this method, We’ll be using “sshpass” command to enable non-interactive SSH password authentication.
sshpass is a utility designed for running ssh using the mode referred to as “keyboard-interactive” password authentication, but in non-inter‐active mode. ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an inter‐active user.
To install sshpass in DEB related systems, like Ubuntu, run:
sudo apt-get install sshpass
In RPM based systems, like CentOS, run:
yum install sshpass
Now, let us connect to the remote system using ‘sshpass’ command:
sshpass -p '<password-of-the-remote-system>' ssh username@<IP-address-of-the-remote-system>
sshpass -p [email protected]' ssh [email protected]
Now, you can access the remote system’s shell.
- [email protected] is the password of my remote system(CentOS 7).
- 192.168.1.150 is the remote system’s IP address.
Also, you can export the password to Environment variable and ssh to your system without having to use the password as part of your command.
To do that, first export password to the environment variable.
export [email protected]
Now, ssh to your remote system using sshpass command with “e” parameter.
sshpass -e ssh [email protected]
To sum it up, both method have pros and cons. Mostly, we can use the password-less SSH logins in scripts and automated tasks, like rsync. Both methods are easy to configure and use. Go ahead and give it a try.