SSH login without password -how to use keys

Logowanie SSH bez hasła – 2021 jak używać kluczy

Last updated on April 22nd, 2021

To log in via SSH without a password, you can use a pair of encryption keys. Some people use this method out of laziness not to enter the password every time, others for security reasons. I often see this method in scripts, which prevents the password from being explicitly given in the file.

Generating keys

To log in via SSH with a pair of keys, you must first generate them. Keys can be generated in various ways by special tools such as PuTTYgen (https://www.ssh.com/ssh/putty/windows/puttygen), online via a website, or via the Linux console. I will show the last method for generating ssh keys in the Linux console because I use it the most.

The ssh keys can be generated with one line:

ssh-keygen -t rsa -b 4096 -f .ssh/server1_key -C "user1 server1"

Parameters:

  • -t encryption method (RSA recommended),
  • -b key size,
  • -f path along with the filename (it’s worth using so as not to overwrite the keys with the default name if you already have one)
  • -c comment – will be visible in the keys on the server to make it easier to identify who it belongs to

After running the command, we will be asked to enter passphrase. If we want to log in without a password, leave the passphrase blank. Passphrase is a password that encrypts our private key. It provides greater security, but you will have to enter it when connecting to server. We can get around this a bit. If we use the eval ssh-agent command, we give the key password only once during the session, then we connect without it.

Ready keys are generated and saved in the indicated place. If you did not enter a path, only the filename, the keys will be in the user’s .ssh directory.

$ ssh-keygen -t rsa -b 4096 -f .ssh/server1_key -C "user1_server1"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/server1_key.
Your public key has been saved in .ssh/server1_key.pub.
The key fingerprint is:
SHA256:rRSBOCGPwNEGSpJniRdoxCGO9bpNNpvVxYDhGz1FQbw user1_server1
The key's randomart image is:
+---[RSA 4096]----+
|BXOo.o.+o+=.     |
|@*=Bo.o. =.      |
|+=o o.o + o.     |
|   .   + =E      |
|  . + o S .      |
|   = = . .       |
|  . +   .        |
|                 |
|                 |
+----[SHA256]-----+

You have 2 files generated in the indicated location. In my case it is the .ssh directory and the files ‘server1_key’ and ‘server1_key.pub’.

Private key

A file without an extension in my case, a file called server1_key is a private key. As soon as you open the file, the first and last line will tell you about it:

-----BEGIN RSA PRIVATE KEY-----
.
.
.
-----END RSA PRIVATE KEY-----

You keep this file on your computer or in the machine from which the connection is made and you do not share it with anyone. If you chose to create a passphrase key, the file looks like this:

<!-- wp:code -->
<pre class="wp-block-code"><code>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D6A043A96361C3403078010BDB08DD55
.
.
.</code></pre>
<!-- /wp:code -->

Public key

A file with the .pub extension is a public key. If you open it, you should have ssh-rsa entry at the beginning. At the end the comment you entered in my case looks like this:

ssh-rsa ... user1_server1

You send this key to the server you intend to connect to. We can do it by specifying the login and server address:

ssh-copy-id [email protected]

Another way is to execute the command in which we indicate our public key and enter the login and address of the target server:

cat ~/.ssh/server1_key.pub | ssh [email protected] "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

You can also do it manually, in the user’s directory we create a .ssh directory with 700 permissions, in it a file called authorized_keys with 600 permissions and the content of our private key:

mkdir .ssh;
chmod 700 .ssh;
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
echo "HERE_INSERT_PUBLIC_KEY" >> .ssh/authorized_keys
The >> sign means that the key will be added to the file. So we add the next keys in the same way and they will be added one under the other.

If ssh is not installed on the server / container, then you should do so and enable the service, for example:

apt update && apt install ssh -y; service ssh start;

SSH daemon

This is a service that supports SSH connections. The configuration file is located in /etc/ssh/sshd_config. If you have problems logging in, or you want to change something in the configuration, just edit this file with nano, vi or whatever you like, for example:

vim /etc/ssh/sshd_config
The most important options that can be added/changed in the configuration are:

PermitRootLogin yes

# Defaults to yes. Root login on the server. It’s safer if he can’t log in. If we change its value from yes to no, we will forbid root login.

Port 22

# Specifies the port on which the service is listening, the port on which you want to connect. Default is 22.

ListenAddres

# The list of addresses from which you can connect, 0.0.0.0 means that you can connect from any IP.

PubkeyAuthentication yes

# Specifies whether the possibility of authentication by the public key should be enabled. Defaults to yes.

PasswordAuthentication yes

# Specifies whether to enable password-based authentication. Defaults to yes.

More parameters can be found in the documentation https://www.ssh.com/ssh/sshd_config/. When we introduce changes to the file, the service must be restarted. Depending on the system it will be one of the commands:

######## RESTART SSH #########

#Debian / Ubuntu Linux:
sudo systemctl restart ssh

#CentOS / RHEL / Fedora / Redhat Linux:
sudo systemctl restart sshd

#FreeBSD Unix:
/etc/rc.d/sshd restart
#albo:
service sshd restart

#more info can be found in the documentation:
man ssh
man sshd

SSH connection

Now that everything is set up we can finally connect on Linux. We can do it like this:

ssh [email protected]_host

#we can also indicate which key to use
ssh -i /mnt/test1.pem [email protected]_host

We execute commands on a remote server using:

ssh [email protected]_host "/bin/ls -l"

#we can also indicate which key to use
ssh -i /mnt/test1.pem [email protected]_host "/bin/ls -l"

This way you can easily upload a file to the server:

scp local_file [email protected]_host:/file_path/remote_file

scp [email protected]_host:/file_path/remote_file local_file

You lost public key ?

Finally, a little tip. If you have lost your public key, don’t panic, you can easily recreate it from your private key.

If, for example, someone admin wants to add your public key to the server, and you don’t know what you’ve done with it, you can easily recreate it. You go to the directory where you keep your private key (usually the .ssh directory in your user profile ~/.ssh/) and use the command below. You enter the name of the private key, for example id_rsa.key and the name under which the public key is to be recreated, for example public_id_rsa.pub .

ssh-keygen -y -f id_rsa.key > public_id_rsa.pub

If you liked the article, be sure to check out other articles on the lepczynski.it blog.

There is also another ssh article on the blog, showing you how to quickly connect to a server by changing your .ssh/config file.

Tags:

6 thoughts on “SSH login without password -how to use keys”

Leave a Reply

Your email address will not be published. Required fields are marked *