SSH Key-Based Authentication & how to SSH *Without a Password.

SSH Key-Based Authentication & how to SSH *Without a Password.
Image credit: Unknown. Please contact us if you are the owner.


So how do you remotely connect to a Linux system?
There are multiple available tools out there for remote logins but when it comes to Linux, SSH is the unicorn choice.
The Secure Shell (SSH) is a protocol that /provides a secure encrypted connection between two hosts over an insecure network.
It's also worth mentioning that SSH is a protocol that is implemented via a number of tools such as SCP, Dropbear, Rsync, etc., but the most widely used tool is the open-source software OpenSSH.

As you would have expected, password logins are secured and simple for new users to grasp. However, automated bots and hackers will always attempt to authenticate accounts that support password-based logins, potentially compromising your security; potentially! As a result, we always advocate using SSH key-based authentication for most deployments.
This article will cover how to generate SSH keys on a client machine and distribute the public key to servers where they will be used.



How Do SSH Keys Work?



Key-based authentication, also called cryptographic authentication, is the process of using cryptographic keys in a challenge-response handshake to prove one’s identity. It consists of 2 pairs of Keys, one is a public key, and another one is a private key.

The private key lives by the client and should be kept absolutely secret. Any compromise of the private key will allow a hacker to log into any servers that are configured with the associated public key without additional authentication. As an extra layer of protection, the key can be encrypted on disk with a passphrase.

The public key, on the other hand, can be shared freely without security concerns; it is designed to be public. Data encrypted with the public key can only be decrypted with the private key, and vice versa for data encrypted with the private key. Asymmetric encryption is another name for public-key encryption.

If you work with a lot of Linux remote servers, SSH Password-less login is one of the best ways to automate operations like automated backup scripting, file synchronization using SCP, and remote command execution.


Creating SSH-Keygen Keys on – local

To create SSH keys, a variety of cryptographic techniques such as RSA, DSA, and ECDSA can be utilized. RSA SSH keys are 2048 bits by default. This is generally considered to be good enough for security, but you can specify a greater number of bits for a more hardened key. Thus we will generate a complex RSA key with a -b 4096 bits (longer key during encryption and authentication) using the ssh-keygen utility.

Generate a new RSA key pair and give it a name of your choice (rabbit-key) on your local computer.
~/.ssh is the default keys' directory within your user's home folder but feel free to choose a non-standard path.

$ ssh-keygen -f ~/.ssh/rabbit-key -t rsa -b 4096

Output

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): <<< press ENTER to leave this blank!!!
Enter same passphrase again: <<< press ENTER to leave this blank!!!
Your identification has been saved in /home/linux/.ssh/rabbit-key
Your public key has been saved in /home/linux/.ssh/rabbit-key.pub
The key fingerprint is:
SHA256:TqBTJc/e+zLeqEVjjUw2FB0nPdwG3AtB4VMPDmQI/Ak username@hostname
The key's randomart image is:
+---[RSA 4096]----+
|      ..o.o=BO*= |
|       =E...o**.=|
|      o oo+. oooo|
|     o o =o+  .. |
|    o   S B .    |
|     . o o o     |
|        . o      |
|         .o+     |
|        .oooo    |
+----[SHA256]-----+


We've now created a 4096 bits long RSA SSH key pair, which is now stored in the .ssh hidden directory under our home user directory:

  • ~/.ssh/rabbit-key: The private key. DO NOT SHARE THIS FILE!
  • ~/.ssh/rabbit-key.pub The associated public key. This can be shared freely without any risk.

The next step is to place the public key on our remote server so that you can use SSH key authentication to log in.


Manually Copy your Public SSH Key to Remote Server(s)


There are multiple ways to upload your public key to a remote SSH server. The method you use depends largely on the tools you have. The simplest, most automated method is the ssh-copy-id utility; but since we like to do things differently here we will have a manual approach first.

If you do not have password-based SSH access to your server available, here is the solution.

On the remote side make sure ~/.ssh directory and the authorized_keys files exist, if not, create them.

$ mkdir ~/.ssh 

$ cd ~/.ssh

$ touch authorized_keys


Now, you can create or modify the authorized_keys file within .ssh directory.
Remember, rabbit-key.pub and its file content will have to be added to a file and within ~/.ssh/directory on our remote server.


Let's display the content of our rabbit-key.pubkey on our local:

$ cat rabbit-key.pub

Output

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDZhOKFGZuK5N0JNftwmuYucYZKJFdLWn4h
4FqLpLSrcYtRT/kEKpp8tw3c/C7MHlOyvdrzjOPfETKwEIU9Ftdnn2KkhpaDntNZM+1X
/96KEfR3PERx9nIa6RhZiuLADE9KmYWVrnOZ6kjqalzRB2ijrNn7ncyJD9o+re/2o9asRz
kJSiBysTADhZ+crJ0DXZKHI5j5wua3SKZ/Up6c1ezQQETt9GGF8XFmwN2Ab1icnjCdnx0J
HwTridJnvRv5fCRbuwDbRBWNXR1ZhY2sMV1FjCZ8EIAgCVt0bY43PNv2QGcI9lYxjIo
ifDIetUAgUb/z/fCvf0AFvVeoRyQRAv4g2P80Ddo9pUVH07hKy7
nKhOEjb8whLm48eb+Zc//gm2SOnkJLVdVcuOhcLG
zNUf8yBIGTEOph74YSPUUwIP6sQcofZPPlbvjMgAgMECnvTpAffRPJ083S2cC6gnYFK0bQ
sunG0t5ew9/tOIG+fPkb8nz9Cw7H+I3ajLex0Hg2NB6oJcRYaYOuvLihbYXav2Ue/gbFTQ
BnbErbJe2yaqSJxskd18qdaaoA6KlNjp3FbyV1U1PACYyzwdRYNxln5qg+M5g/bbjUCFYD
nd45KVeiac6cvmz63uzw== username@hostname

Copy and paste its content into our remote server.

$ nano rabbit-key.pub

#paste content


Let's now append the contents of your rabbit-key.pub file to the end of the authorized_keys file.

$ cat rabbit-key.pub >> authorized_keys

Scp Copy your Public SSH Key to Remote Server(s)

This approach will copy our Public file to our remote sever over SSH.
Also, make sure .ssh exits; if not create it.

$ mkdir -m 700 ~/.ssh 


Let's scp our rabbit-key.pub file to our server.

Ps: Our SSH server is listening on a non-standard port, we will have to specify the port number when connecting with your client by specifying the port number with the -p flag:

$ scp -P 54321 rabbit-key.pub rabbit@192.168.x.xxx:~/.ssh/

Output

The authenticity of host '[192.168.1.222]:6666 ([192.168.1.222]:6666)' can't be established.
ECDSA key fingerprint is SHA256:BDj6kxtTw06p+lMonkeyKsUphcGAN1vPdL8geY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.x.xxx]:54321' (ECDSA) to the list of known hosts.
Password: 

rabbit-key.pub                                100%  745   643.5KB/s   00:00 


Now that we have the key, let's append the content of that file to a new file called authorized_keys on our remote server.

$ cat rabbit-key.pub >> authorized_keys


Also, make sure your permission is set up correctly. This is very important.
So our SSH directory should be set to 700 and the file within that directory should be set to 600.

$ chmod 700 ~/.ssh/

$ chmd 600 ~/.ssh/*


Authenticating to Remote Server Using SSH Keys

If you correctly followed one of the above methods, you should be able to get into your remote host without providing an account password. Magic!!!

ssh username@remote_host


If it is the first time connecting to a new host, you will see a message that looks like this:

The authenticity of host '192.168.x.xxx (192.168.x.xxx)' can't be established.
ECDSA key fingerprint is rd:rd:d4:t5:34:sd:26:77:e8:22:50:yx:c8:d2:45:t6.
Are you sure you want to continue connecting (yes/no)? yes

Type yes to accept the authenticity of the remote host.
Log out.
Sign back in.
And, you will not be prompted for a password.

This is also worth mentioning that SSH keys not only improve security, but also enable automation of connected processes, single sign-on (SSO), and identity and access management at a large scale.

Keep Us Caffeinated  ⦿ ⦿