How to Create and Use Passwordless Logins on LINUX

If you’re comfortable that you’ve got a strong firewall and password on it, you can preshare keys between all of your raspberries! That way, when you ssh from pi to pi, you don’t have to constantly type your password on each pi. The process is fairly simple. Key based authentication in SSH is called “public key authentication”, compared to “password authentication”.

SETTING UP PUBLIC KEY AUTHENTICATION

The process is as follows:

  1. GENERATE AN SSH KEY – With OpenSSH, an SSH key is created using ssh-keygen. In the simplest form, just run ssh-keygen and answer the questions.
  2. COPY THE KEY TO A SERVER – Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server. Once the key has been authorized for SSH, it grants access to the server without a password.

Here’s an example:

login as: pi
pi@webs1's password:
pi@webs1:~ $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa): [enter]
Created directory '/home/pi/.ssh'.
Enter passphrase (empty for no passphrase): [enter]
Enter same passphrase again: [enter]
Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UMzEag52eIwlFF9kCkNQ6BL1xRkl9jE8zf1IPfgemyQ pi@webs1
The key's randomart image is:
+---[RSA 2048]----+
| .oBo=@Xo . o    |
|. …+Boo + o      | 
| o .+… .  + .    |
|. . = *.  E =    |
| . . *  S + +    |
|           . +   |
|                 |
|                 |
|                 |
+----[SHA256]-----+
pi@webs1:~ $ ssh-copy-id pi@webs2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub"
The authenticity of host 'webs2 (10.0.0.204)' can't be established.
ECDSA key fingerprint is SHA256:4BOv0si6zdSHtgQjF2OdW0TH8lNOS8qQYCG/N/sSqJ8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompt ed now it is to install the new keys
pi@webs2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'pi@webs2'"
and check to make sure that only the key(s) you wanted were added.
pi@webs1:~ $ ssh pi@webs2
Last login: Fri Apr 3 20:28:34 2020 from 10.0.0.6
pi@webs2:~ $

Works great – when it works… A lot can go wrong.

ssh-copy-id doesn’t always work. Sometimes you have to do this by hand. If you do, your biggest stumbling block will probably be permissions. [So, what else is new?]

You’ve already generated the key. Look in your home directory in the .ssh directory. That “.” prefixing the directory name means it’s a hidden directory.

root@webs1:~# ls
root@webs1:~# ls -a
. .. .bash_history .bashrc .gnupg .profile .ssh .viminfo
root@webs1:~# cd .ssh
root@webs1:~/.ssh# ls
id_rsa id_rsa.pub known_hosts
root@webs1:~/.ssh#

id_rsa – this is your private key. Don’t share it with anyone!

id_rsa.pub – This is your public key. Spread this far and wide. Mostly get a copy of it on the server you want to connect to.

known_hosts – This is the file containing all the HOST keys for the servers that you’ve already connected to. You may have to edit this file to remove host keys for servers that have been replaced or rebuilt.

Next, ssh to the computer that you need to connect to. Check the .ssh directory in your home. You may need to create the .ssh directory.

root@webs2:~# ls -la
total 36
drwx------ 3 root root 4096 Apr 20 11:48 .
drwxr-xr-x 21 root root 4096 Feb 13 11:10 ..
-rw------- 1 root root 1706 Apr 19 13:20 .bash_history
-rw-r--r-- 1 root root 570 Feb 8 21:47 .bashrc
drwx------ 3 root root 4096 Apr 5 08:10 .gnupg
-rw-r--r-- 1 root root 148 Feb 8 21:47 .profile
-rw------- 1 root root 10315 Apr 20 11:43 .viminfo
root@webs2:~#
root@webs2:~# mkdir .ssh
root@webs2:~# chmod 700 .ssh

Now, you want to copy the contents of id_rsa.pub from the first server into the file authorized_hosts on the second server:

root@webs2:~# cd .ssh
root@webs2:~/.ssh# ls
known_hosts
root@webs2:~/.ssh# touch authorized_keys
root@webs2:~/.ssh# chmod 600 authorized_keys
root@webs2:~/.ssh# ls -la
total 12
drwx------ 2 root root 4096 Apr 20 11:39 .
drwx------ 4 root root 4096 Apr 19 13:10 ..
-rw------- 1 root root 0 Apr 20 11:39 authorized_keys
-rw-r--r-- 1 root root 444 Apr 17 08:33 known_hosts
root@webs2:~/.ssh#

It’s not pretty, but it’s just ASCII. You can cut & paste!

ssh-rsa c2EAAAADAQABAAABAQDEF99iBl2DFmzNgZViwOHyM1j2ORn2WhRQWxr0ltPglOhgaYTJZJP8tz2dsx
YMU3sKrKrNpeTvpQBkp1AZnrv9cO3o1RJxe1oR7gq+AVr4e2ybSIBi98Q7qHMfGedlPt0SRw1Od+6P7itBWIWUoDyBGIO6X9BcurriEPun/HZvIqYPV4AuonozTV9n6VMnnwAxM1bBmTFfjrgOGk5OUrBS9hBcqiUrFOqHD0IVqD5iXi+y4jWRwUaK+n8xb+PJkd5hSKI/QBSPgB3OBXz4sNjwfaOzsIqjL4zN97UwOg6oakGd57YBkizXCJWUB5V3jAWHDrEifwzRVDNMzbfU7r root@webs1

Or you can secure copy it to the second server. You’ll probably need to adjust permissions, but it’s a valid way to set this up:

root@webs1:~/.ssh# scp id_rsa.pub webs2:/root/.ssh/authorized_keys
root@webs2's password:
id_rsa.pub 100% 392 259.5KB/s 00:00
root@webs1:~/.ssh#

Finally, test the connection. Go back to the first server and try your ssh connection to the second. If everything worked, you’ll get right in without a password challenge!

root@salt:~# ssh webs1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for webs1 has changed,
and the key for the corresponding IP address 10.0.0.204
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /root/.ssh/known_hosts:17
remove with:
ssh-keygen -f "/root/.ssh/known_hosts" -R "10.0.0.204"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4BOv0si6zdSHtgQjF2OdW0TH8lNOS8qQYCG/N/sSqJ8.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:14
remove with:
ssh-keygen -f "/root/.ssh/known_hosts" -R "webs1"
ECDSA host key for webs1 has changed and you have requested strict checking.
Host key verification failed.
root@salt:~#
root@salt:~# ssh webs1
The authenticity of host 'webs1 (10.0.0.204)' can't be established.
ECDSA key fingerprint is SHA256:4BOv0si6zdSHtgQjF2OdW0TH8lNOS8qQYCG/N/sSqJ8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'webs1' (ECDSA) to the list of known hosts.
root@webs1's password:

Author: John

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.