Something that I'd like to share with you!

Friday, August 27, 2021

Passwordless SSH login under Linux using RSA public-private key pairs

No comments :

For some reason, we might want to have passwordless SSH access. This will be useful for automation scripts that are running without user intervention.

In order to do this, the remote SSH server needs to be able to identify the SSH client. This is where the “~/.ssh/authorized_keys” file comes into the picture. The idea is to generate an RSA key from the client side and copy it to the remote server “~/.ssh/authorized_keys” file. If everything is done correctly, the remote SSH server will then be able to identify the SSH client that matched the RSA key and allow passwordless SSH connection.


For example below we are using 2 OS for testing, local client is running CentOS and remote server is running Ubuntu. Normal SSH as below will require the user to enter a password.

leorick@localhost ~]$ ssh leorick@192.168.100.17
leorick@192.168.100.17's password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.11.0-25-generic x86_64)
...
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Aug 27 04:49:52 2021 from 192.168.100.223
leorick@ubuntu:~$

First step, generate local "id_rsa.pub" from local CentOS client by issuing “ssh-keygen -t rsa” command.

[leorick@localhost ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/leorick/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/leorick/.ssh/id_rsa.
Your public key has been saved in /home/leorick/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+7Ar4vN/uQlYinKVgP/UifRWYqGOaT+sysMST0vZbz0 leorick@localhost.localdomain
The key's randomart image is:
+---[RSA 3072]----+
|        .        |
|   .   o         |
|  . . o o .      |
|   . * * +       |
|   o= * S        |
|. +..B = .       |
| *.oo.B +  .     |
|..=o=.o. =o.     |
| .o=o+E++o+.     |
+----[SHA256]-----+

Next, send the “id_rsa.pub” file to the remote Ubuntu server using any method available. Example below is how to send the file using SCP.

leorick@localhost ~]$ scp /home/leorick/.ssh/id_rsa.pub  leorick@192.168.100.17:/home/leorick/.ssh/
leorick@192.168.100.17's password: 
id_rsa.pub                                    100%  583     1.0MB/s   00:00    
[leorick@localhost ~]$

On the remote Ubuntu server, copy the content of the “id_rsa.pub” file into the “~/.ssh/authorized_keys” file of the particular user home directory that you are going to login with.

leorick@ubuntu:~/.ssh$ pwd
/home/leorick/.ssh
leorick@ubuntu:~/.ssh$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrLZsQkR2Sev5s/9cxf64vI1BiId+4CcHxmMIA5B+T2n+R1kZ4iA1u+tut3tKlWI9G9NQnH+yC6nJlBwtjf3szYyn66fIf3mxCwZ+ikFQt9eaOg7h2Wz/WKFx0MHnol3WgVkJwwJqWB0EUaLikJgU4IDjatBpp7X7U2nvVzDHMIIBnCuDYG3NL4nT1JacxZ4KeccRewJN7qWsb+kCJfcwKZRRyiSEvn+Fnk6RDrenSefm6mnxTQJ35kiVGQ2gkpiNzUcR+yrXkZQJyLQso7nEzjmob/ecRbxxj8nZtP2MbPxtU8tIEQjYwkbRuh7acFUw0I8Y4qBS4aKP01zZXrWz7WVoA86a2JvOgwIup0F8+sjXNxzbRR3rgQqV5AitpcwI7zhRVWsHQoL2+mCkIES0hHqEDHwuwnFYk81AOKIEoFRoPSk7wMons+C28uHH9ks5VJRYtty58Vrc6AMWjtVKSaiPRildUZSI7b/HQkQ3DVofpEPnmSJKhiuBEF4Fbk30= leorick@localhost.localdomain
leorick@ubuntu:~/.ssh$ cat id_rsa.pub > authorized_keys

Now login can be done without password.

[leorick@localhost ~]$ ssh leorick@192.168.100.17
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.11.0-25-generic x86_64)
...
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Aug 27 04:50:57 2021 from 192.168.100.223
leorick@ubuntu:~$

.

No comments :