Passwords are becoming vulnerable with the ever-evolving cybersecurity environment.
No more than ever, systems are becoming prone to brute-force attacks.
Users are also making it easy for hackers to infiltrate their systems by securing systems with weak and often guessable passwords.
2 Factor authentication is now commonplace and it provides an extra layer of protection using OTP codes to ensure that it's actually the user logging into the system.
Another way you can secure your server is by setting up passwordless SSH authentication on your server.
Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms.
This uses public-key SSH authentication where an SSH key pair is generated on the local system.
The key pair is made up of a private and a public SSH key.
The private key remains on the local system whilst the public key is uploaded to the remote system. During authentication, a key exchange occurs between the public key saved on the remote system and the private key on the local system.
Subsequent connections are thus secured and no password will be required.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers secure their Server via SSH Authentication.
In this context, we shall look into how to configure password SSH authentication.
How to configure Passwordless SSH setup Lab ?
It would be prudent to also ensure that you can access the remote system from your local system using SSH password authentication.
Now let's get started with this procedure.
1. Generate SSH key pair
Right off the bat, we will generate an SSH key-pair which will be stored in the home directory. So, invoke the ssh-keygen command as shown. Here, we are creating a 4096-bit key pair.
$ ssh-keygen -b 4096
Accept the defaults by simply pressing ENTER.
You can find the SSH key pair in the ~/.ssh directory which is a hidden directory in your home folder.
Just to be cocksure use the ls command to check the presence of the SSH keys.
$ ls .ssh
The private key is denoted by id_rsa while id_rsa.pub is the public key.
These are cryptographic keys that are encrypted.
We will, later on, copy the public key to the remote system.
2. Copy the SSH key pair to the remote system
Next, you need to copy and save the public key to the remote Linux system.
Why are we doing this?
In public-key authentication, an authentication handshake takes place between the public key on the remote system and the private key residing on the local system.
This ensures that all subsequent traffic between the local host system and the remote system is encrypted.
To copy the SSH public key, run the ssh-copy-id command as follows.
$ ssh-copy-id user@remote-ip
Let's say our Server IP address is 100.200.300.001, then the command would be;
$ ssh-copy-id email@example.com
To continue connecting, type 'Yes' and press ENTER. Thereafter, provide the password to the remote system to log in and copy the SSH public key.
The public SSH key is added to a unique file called authorized_keys in the home directory of the user account you are logging into.
The full path to this file is ~/.ssh/authorized_keys.
After successfully copying the SSH key, you can now log in to the remote system using the public key authentication as follows:
$ ssh firstname.lastname@example.org
This will log you in to the remote system without even being prompted for a password. Awesome!
As mentioned earlier, the public key is saved in the ~/.ssh/authorized_keys path.
3. Disable password authentication (Optional)
If you want to boost the security of your remote system, you might want to consider disabling password authentication.
In doing so, you ensure that you are the only one who can access the system using the private key sitting on your local system.
The key should always be a top secret.
Never share it with anyone lest your system becomes compromised.
i. On the remote host, open access the /etc/sshd_config file a shown.
$ sudo vim /etc/sshd_config
ii. Locate the PasswordAuthentication parameter and set it to no.
iii. Next, ensure that Public Key authentication is enabled.
iv. For the changes to persist, perform a restart of the SSH service as follows:
$ sudo systemctl restart ssh
To demonstrate that password authentication is disabled, we will try and access the server using the Putty SSH client.
Provide the remote system's address and hit 'Open'.
Provide the remote username and hit ENTER.
This time around, you get an authentication since we disabled password authentication.
Troubleshooting Remote Server File Permissions
File permissions on the remote server may cause issues with passwordless SSH login. This is a common issue with older versions of SSH.
If you are still prompted for a password after going through all the steps, start by editing file permissions on the remote server.
1. Set permissions 700 for the .ssh directory.
2. Set permissions 640 for the .ssh/authorized_keys directory.
Edit file permissions with the following command:
ssh [remote_username]@[server_ip_address] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
Enter your password when prompted.
There will be no output if the action was successful.
The issue should be resolved now.