Server with SSH access and password - enable authentication without using password
I have recently paid for a server in German hosting company Hetzner, they provided me with login information: my public IP address, username: root and password: pre-generated password. It is a standard procedure, now how to make this work without using password, using just a .pem file?
First step is to generate Key Pair and PEM file.
Next step is to upload certificate to your remote server in command line using SSH, first time with password.
Last step, testing connection client to server without using a password.
1) How to generate a Key Pair for authentication without password
$ ssh-keygen -t rsa -b 2048 -v
Enter this command to generate 2,048 bit RSA key using verbose (questions asked during) mode, and a public .pem X.509 certificate.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/anonymouse/.ssh/id_rsa): hetzner
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in hetzner.
Your public key has been saved in hetzner.pub.
The key fingerprint is:
bb:c6:9c:ee:6b:c0:67:58:b2:bb:4b:44:72:d3:cc:a5 localhost@localhost
The key's randomart image is:
You will be asked for a file name, I inserted a name of the hosting provider hetzner, it will generate a hetzner.pub file and the hetzner file without file extension, rename it to hetzner.pem, files are created in the current directory you have open in terminal window. You will be asked to enter passphrase, it is for securing the certificate on your local machine, I ignored this option by pressing enter, as it is voluntary option and I feel confident about my local computer security.
2) Uploading the generated certificate from client computer to server
This is done so server can recognize client, the both have access to these certificates and compare them. To upload certificate on the server, we need to establish a secure connection and this time, if everything goes well, it may be the last time using the password.
$ ssh-copy-id -i ~/hetzner.pub root@12.34.56.78
root@12.34.56.78's password:
Now try logging into the machine, with "ssh 'root@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting, you may still want to use a password.
So to check, id you have successfully uploaded your key to the server, login to the server:
$ sudo nano ~/.ssh/authorized_keys or $ sudo cat ~/.ssh/authorized_keys, you should see a file with a one or more lines of random characters, these are the uploaded or generated keys known to this machine.
Mine ~/.ssh/authorized_keys looks like this, i cut off few hundred of characters from right of both lines:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...
ssh-rsa AQCqFd4B798zz9Lu+a3jGjhVXBRx ...
Each line is a ssh-rsa key, you may want to check that you accidentally did not upload anything unwanted, but first of all, one of the lines should contain the exactly same content, as the hetzner.pub (your .pub file, that was uploaded), you may open .pub file in any text editor on you local machine to make sure,
3) Test the connection
$ sudo ssh -i ~/hetzner.pem root@12.34.56.78
Should connect you without using a password, notice, that I am not using .pub but .pem now, that is a file hetzner, that we have renamed in step 1 to hetzner.pem. You may have to confirm the Key Pair with "yes" on the first login. Both files were generated in step 1 using $ ssh-keygen -t rsa -b 2048 -v command, but one is generated bwithout suffix.
On client side
If you do not wish to supply the key path every time on client computer when connecting to remote server, one must tell OpenSSH where to look for private key, by default it looks in ~/.ssh/id_rsa and other folders, use ssh with -v parameter, verbose mode will print what it does step by step on screen. Usually this file should contain something like
-----BEGIN RSA PRIVATE KEY-----
fjksdfjsdlfjksdlfjlsdjfsdl0GrdNS326iv4CcJHASJ2EMpXnIaUpBtc5U2SY14yq8/4gfRLHLdbwzzx/O
PEjlPv1BX4OJlxSWtKPaQsb5QsgwJseoNmBl1djTSY3haZS9P89MsNKiqlv1XtwbcMYOQRVydFdn
.....
.....
......
NHfo3MomYtSoawyBFfsdfsdfasdfasdfasdfasJKJFLSJLDJKSJDVXG58e2Vn7vmY4DYHDDkBd3Y=
-----END RSA PRIVATE KEY-----
You may have this file with .pem suffix. Pem is your private key, unlike .pub - the public key, private key stays always only on you computer, newer give up your private key. Content of ~/.ssh/id_rsa can be replaced with .pem file, it works fine, no conversion is needed.
Two or more private keys
If you have more servers and you wish to connect using multiple private keys, create ~/.ssh/config file, that contain following lines:
Host server1 server1.company.com
Hostname 12.34.56.78
User ubuntu
IdentityFile /media/11361B1123123634/server1.pem
Host server2 server2.company.com
Hostname server2.company.com
User root
IdentityFile /media/11361B1123123634/server2.pem
Host myPC myPC.local
Hostname 192.168.0.106
User mike
IdentityFile /home/mike/.ssh/id_rsa
This file is recognized by ssh by default, it must be named config full path: ~/.ssh/config and if you wish to use sudo (for example later in cron with rsync), this file must be also accessible as /root/.ssh/config. In above file /media/11361B1123123634/ is my encrypted USB drive, so the upper two connections works only if the drive is mounted. In Host, first name is short name that can be used with ssh command, for example:
$ ssh server1
This should now connect you to server1.company.com without typing a password, this way also rsync and other command that use ssh may be used to work with other servers without supplying typed or visible passwords every time they communicate.
Troubleshooting
Agent admitted failure to sign using the key
If you do some changes in permissions, change file location, you may need to run this on the client machine to get rid of the Agent admitted failure to sign using the key. error message.
# eval "$(ssh-agent)"
# ssh-add
Permissions on clients ~/.ssh should be dr-xr-x---
# chmod 550 .ssh
Troubles with key path, rsync prompting for password when should not
If using rsync with sudo, it looks for key file in /root/.ssh/config not in /home/user/.ssh/config, so be sure to copy or link this file to correct location, otherwise ssh and scp will be working fine while rsync will prompt for password.
I have recently paid for a server in German hosting company Hetzner, they provided me with login information: my public IP address, username: root and password: pre-generated password. It is a standard procedure, now how to make this work without using password, using just a .pem file?
First step is to generate Key Pair and PEM file.
Next step is to upload certificate to your remote server in command line using SSH, first time with password.
Last step, testing connection client to server without using a password.
1) How to generate a Key Pair for authentication without password
$ ssh-keygen -t rsa -b 2048 -v
Enter this command to generate 2,048 bit RSA key using verbose (questions asked during) mode, and a public .pem X.509 certificate.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/anonymouse/.ssh/id_rsa): hetzner
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in hetzner.
Your public key has been saved in hetzner.pub.
The key fingerprint is:
bb:c6:9c:ee:6b:c0:67:58:b2:bb:4b:44:72:d3:cc:a5 localhost@localhost
The key's randomart image is:
You will be asked for a file name, I inserted a name of the hosting provider hetzner, it will generate a hetzner.pub file and the hetzner file without file extension, rename it to hetzner.pem, files are created in the current directory you have open in terminal window. You will be asked to enter passphrase, it is for securing the certificate on your local machine, I ignored this option by pressing enter, as it is voluntary option and I feel confident about my local computer security.
2) Uploading the generated certificate from client computer to server
This is done so server can recognize client, the both have access to these certificates and compare them. To upload certificate on the server, we need to establish a secure connection and this time, if everything goes well, it may be the last time using the password.
$ ssh-copy-id -i ~/hetzner.pub root@12.34.56.78
root@12.34.56.78's password:
Now try logging into the machine, with "ssh 'root@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting, you may still want to use a password.
So to check, id you have successfully uploaded your key to the server, login to the server:
$ sudo nano ~/.ssh/authorized_keys or $ sudo cat ~/.ssh/authorized_keys, you should see a file with a one or more lines of random characters, these are the uploaded or generated keys known to this machine.
Mine ~/.ssh/authorized_keys looks like this, i cut off few hundred of characters from right of both lines:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...
ssh-rsa AQCqFd4B798zz9Lu+a3jGjhVXBRx ...
Each line is a ssh-rsa key, you may want to check that you accidentally did not upload anything unwanted, but first of all, one of the lines should contain the exactly same content, as the hetzner.pub (your .pub file, that was uploaded), you may open .pub file in any text editor on you local machine to make sure,
3) Test the connection
$ sudo ssh -i ~/hetzner.pem root@12.34.56.78
Should connect you without using a password, notice, that I am not using .pub but .pem now, that is a file hetzner, that we have renamed in step 1 to hetzner.pem. You may have to confirm the Key Pair with "yes" on the first login. Both files were generated in step 1 using $ ssh-keygen -t rsa -b 2048 -v command, but one is generated bwithout suffix.
On client side
If you do not wish to supply the key path every time on client computer when connecting to remote server, one must tell OpenSSH where to look for private key, by default it looks in ~/.ssh/id_rsa and other folders, use ssh with -v parameter, verbose mode will print what it does step by step on screen. Usually this file should contain something like
-----BEGIN RSA PRIVATE KEY-----
fjksdfjsdlfjksdlfjlsdjfsdl0GrdNS326iv4CcJHASJ2EMpXnIaUpBtc5U2SY14yq8/4gfRLHLdbwzzx/O
PEjlPv1BX4OJlxSWtKPaQsb5QsgwJseoNmBl1djTSY3haZS9P89MsNKiqlv1XtwbcMYOQRVydFdn
.....
.....
......
NHfo3MomYtSoawyBFfsdfsdfasdfasdfasdfasJKJFLSJLDJKSJDVXG58e2Vn7vmY4DYHDDkBd3Y=
-----END RSA PRIVATE KEY-----
You may have this file with .pem suffix. Pem is your private key, unlike .pub - the public key, private key stays always only on you computer, newer give up your private key. Content of ~/.ssh/id_rsa can be replaced with .pem file, it works fine, no conversion is needed.
Two or more private keys
If you have more servers and you wish to connect using multiple private keys, create ~/.ssh/config file, that contain following lines:
Host server1 server1.company.com
Hostname 12.34.56.78
User ubuntu
IdentityFile /media/11361B1123123634/server1.pem
Host server2 server2.company.com
Hostname server2.company.com
User root
IdentityFile /media/11361B1123123634/server2.pem
Host myPC myPC.local
Hostname 192.168.0.106
User mike
IdentityFile /home/mike/.ssh/id_rsa
This file is recognized by ssh by default, it must be named config full path: ~/.ssh/config and if you wish to use sudo (for example later in cron with rsync), this file must be also accessible as /root/.ssh/config. In above file /media/11361B1123123634/ is my encrypted USB drive, so the upper two connections works only if the drive is mounted. In Host, first name is short name that can be used with ssh command, for example:
$ ssh server1
This should now connect you to server1.company.com without typing a password, this way also rsync and other command that use ssh may be used to work with other servers without supplying typed or visible passwords every time they communicate.
Troubleshooting
Agent admitted failure to sign using the key
If you do some changes in permissions, change file location, you may need to run this on the client machine to get rid of the Agent admitted failure to sign using the key. error message.
# eval "$(ssh-agent)"
# ssh-add
Permissions on clients ~/.ssh should be dr-xr-x---
# chmod 550 .ssh
Troubles with key path, rsync prompting for password when should not
If using rsync with sudo, it looks for key file in /root/.ssh/config not in /home/user/.ssh/config, so be sure to copy or link this file to correct location, otherwise ssh and scp will be working fine while rsync will prompt for password.
Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are passwords based authentication and public key based authentication.
In this tutorial, we will show you how to setup an SSH key-based authentication as well how to connect to your Linux server without entering a password.
Setup SSH Passwordless Login
To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts
~/.ssh/authorized_keys file.
The following steps will describe the process for configuring passwordless SSH login:
- Check for existing SSH key pair.Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys.Run the following ls command to see if existing SSH keys are present:
ls -al ~/.ssh/id_*.pubIf there are existing keys, you can either use those and skip the next step or backup up the old keys and generate a new one.If you seeNo such file or directoryorno matches foundit means that you do not have an SSH key and you can proceed with the next step and generate a new one. - Generate a new SSH key pair.The following command will generate a new 4096 bits SSH key pair with your email address as a comment:
ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"PressEnterto accept the default file location and file name:Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):Next, thessh-keygentool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use passphrase just pressEnterEnter passphrase (empty for no passphrase):The whole interaction looks like this:To be sure that the SSH keys are generated you can list your new private and public keys with:ls ~/.ssh/id_*/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub - Copy the public keyNow that you have generated an SSH key pair, in order to be able to login to your server without a password you need to copy the public key to the server you want to manage.The easiest way to copy your public key to your server is to use a command called
ssh-copy-id. On your local machine terminal type:ssh-copy-id remote_username@server_ip_addressYou will be prompted to enter theremote_usernamepassword:remote_username@server_ip_address's password:Once the user is authenticated, the public key will be appended to the remote userauthorized_keysfile and connection will be closed.If by some reason thessh-copy-idutility is not available on your local computer you can use the following command to copy the public key:cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" - Login to your server using SSH keysAfter completing the steps above you should be able log in to the remote server without being prompted for a password.To test it just try to login to your server via SSH:
ssh remote_username@server_ip_addressIf everything went well, you will be logged in immediately.
Disabling SSH Password Authentication
To add an extra layer of security to your server you can disable the password authentication for SSH.
Before disabling the SSH password authentication make sure you can log in to your server without a password and the user you are logging in with has sudo privileges.
The following tutorials describe how to configure sudo access:
- How to create sudo user on Ubuntu
- How to create sudo user on CentOS
- How to create sudo user on Debian
- Log into your remote server with SSH keys, either as a user with sudo privileges or root:
ssh sudo_user@server_ip_address - Open the SSH configuration file
/etc/ssh/sshd_config, search for the following directives and modify as it follows:/etc/ssh/sshd_configPasswordAuthentication no ChallengeResponseAuthentication no UsePAM noOnce you are done save the file and restart the SSH service.On Ubuntu or Debian servers, run the following command:sudo systemctl restart sshOn CentOS or Fedora servers, run the following command:sudo systemctl restart sshd
No comments:
Post a Comment