Today we will learn one fabulous thing about SSH and the way it can connect to remote servers. For years lot of people used passwords to connect to their unix/linux servers, today we all know it’s insecure and that a way more secure method is connect to ssh servers using public keys. Before I start explaining how to connect to a ssh server using public keys, let’s clarify a few concepts.
What is SSH?
SSH is a secure protocol designed originally for secure data communication between hosts, remote command-line login and command execution. It’s the best way to securely connect to your Linux servers. The OpenSSH server uses two authentication methods, password authentication, the default method and public key authentication, which is an alternative and most secure way to connect to a Unix/Linux server.
What are public keys?
SSH keys allows password-less authentication between two different hosts, for this SSH Auth uses pair of keys, two private keys and one public key.
OpenSSH client and server must be installed on both sides (machine a, the client, the one who connects to machine b, the server). If you don’t have openssh software installed, you can do it this way:
yum install openssh-server apt-get install openssh-server
sudo apt-get install openssh-client sudo apt-get install openssh-server
I will assume you have server A with IP 220.127.116.11 and the openssh server B has IP 18.104.22.168 assigned.
How can I setup public key authentication?
You must generate the ssh keys, let’s begin with the openssh client using the ssh-keygen command:
You’ll probably be prompted to enter a secure passphrase for your private key, hit ENTER and don’t setup that passphrase yet. It is recommended to use one, however on this case we will avoid that step. The output should be as you see below:
[[email protected] ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/testuser/.ssh/id_rsa): Created directory '/home/testuser/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/testuser/.ssh/id_rsa. Your public key has been saved in /home/testuser/.ssh/id_rsa.pub. The key fingerprint is: 98:8b:14:34:68:fd:49:69:de:34:51:94:39:fc:cc:b2 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | oo ..=oo | | o...+ o = | | . .= + . = | | .+o. . + | | . o S o | | . . . E | | . . | | | | | +-----------------+
This will generate two main files:
$ HOME/.ssh/id_rsa - that contains your machine (client) private key. $ HOME/.ssh/id_rsa.pub - this file contains your public key.
As you saw, on this example we used the default RSA encription instead of DSA, if you want to generate a DSA key instead, you can specify using ‘-t dsa’ option:
ssh-keygen -t dsa
You can read this links to decide which one is best for your needs:
Copy the key to the remote OpenSSH server
On the openssh server machine, create the .ssh directory and set proper permissions:
mkdir -p $ HOME/.ssh && chmod 0700 $ HOME/.ssh
Then use rsync or scp to transfer the file into the remote location:
On the openssh client, run:
scp -P 22 $ HOME/.ssh/id_rsa.pub [email protected]:/home/user/.ssh/authorized_keys
Important: 22 is the default port, but you can replace that with a custom ssh port if you have set one on the remote openssh server, “user” is the remote openssh server user, and “22.214.171.124” is the remote openssh server, also “/home/user/.ssh/” is the remote .ssh directory you created before, replace this values with your real user name, IP and path.
Other alternative to copy your public key is the following:
On the openssh client, run cat command:
cat $ HOME/.ssh/id_rsa.pub
Copy the code you see since the first character, until the last character. Now, move to the remote openssh server, create a new file:
nano -w $ HOME/.ssh/authorized_keys
Paste the content you previously cut from id_rsa.pub file, then press CTRL + X and then Y.
Note: this alternative way will only work if you copy and past the exact characters from the beginning of the first line, until the last character, if you copy extra spaces or add other characters it may not work.
That’s all, now you should be able to login via ssh without passwords.
Testing SSH without passwords
Simply login to the server using ssh
Replace user and 126.96.36.199 with the real user and remote IP. That should result in a password-less SSH login, example:
[[email protected] ~]$ ssh [email protected] Last login: Fri Jan 9 15:29:59 2015 from 200.XX.XX.XX ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. [[email protected] ~]$
Now you should be able to transfer files without passwords too, example using scp and rsync:
[[email protected] ~]$ scp -P 22 $ HOME/file.txt [email protected]:/home/remoteuser/ file.txt 100% 387 0.4KB/s 00:00 [[email protected] ~]$
[[email protected] ~]$ rsync -avpr -e 'ssh -p 22' $ HOME/file.txt [email protected]:/home/remoteuser/ sending incremental file list file2.txt sent 495 bytes received 34 bytes 96.18 bytes/sec total size is 387 speedup is 0.73 [[email protected] ~]$