Introduction
Setting up SSH passwordless login on your Linux system not only improves security but also provides a seamless and efficient way to access remote servers. In this comprehensive guide, we will walk you through the process of securely configuring SSH passwordless authentication. By following our step-by-step instructions and best practices, you’ll be able to establish a secure and convenient SSH connection without the need for entering passwords.
Understanding SSH Passwordless Login
SSH passwordless login, also known as SSH key-based authentication or SSH public key authentication, allows you to log in to a remote Linux server without entering a password. Instead, it relies on cryptographic keys to authenticate the user. This method offers enhanced security by eliminating the risk of password-based attacks and provides a streamlined remote access experience.
[ads]
Step-by-Step Guide to Setup SSH Passwordless Login
1. Generate SSH Key Pair
Generate an SSH key pair on your local machine using the following command:
ssh-keygen -t rsa -b 4096
Choose a strong passphrase to protect your private key.
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:8OWmuHh9BjySvj7mrptRwQ6QHqE7F0... user@localhost The key's randomart image is: +---[RSA 4096]----+ | ..o=++. | | . .=*o | | . +B*. | | .=.=o. | | . S.o | | . o o.. | | + +oo. | | =B.+. | | .=.E. | +----[SHA256]-----+
2. Copy Public Key to Remote Server:
Copy the public key (id_rsa.pub) to the remote server using the following command:
ssh-copy-id user@remote-server
Alternatively, you can manually append the public key to the ~/.ssh/authorized_keys
file on the remote server.
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys user@remote-server's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'user@remote-server'" and check to make sure that only the key(s) you wanted were added.
3. Configure SSH on the Remote Server
Modify the SSH server configuration file (sshd_config
) on the remote server to enable key-based authentication and disable password authentication. Open the file using a text editor, locate the PasswordAuthentication directive, and set it to no. Uncomment the PubkeyAuthentication directive and set it to yes.
# nano /etc/ssh/sshd_config
# Authentication: ... PasswordAuthentication no ... PubkeyAuthentication yes ...
4. Test SSH Passwordless Login
Test the SSH passwordless login by attempting to connect to the remote server from your local machine using the generated SSH key pair. Use the following command:
ssh user@remote-server
Ensure successful authentication without requiring a password.
Last login: Mon Jun 5 10:43:07 2023 from 192.168.0.100 Welcome to the remote server! user@remote-server:~$
5. Harden SSH Security
Implement additional security measures, such as disabling root login, changing default SSH port, and limiting SSH access to specific IP addresses. Use the following commands to make these changes:
Disable root login:
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
PasswordAuthentication no PermitRootLogin no
Change default SSH port (optional):
sudo sed -i 's/#Port 22/Port <new-port-number>/' /etc/ssh/sshd_config
Limit SSH access to specific IP addresses (optional):
sudo echo "AllowUsers user@trusted-ip" >> /etc/ssh/sshd_config
Remember to restart the SSH service for the changes to take effect:
sudo systemctl restart sshd
Best Practices for SSH Passwordless Login
Use strong passphrases when generating SSH key pairs.
Protect your private key and never share it with unauthorized individuals.
Regularly monitor and review SSH access logs for any suspicious activity.
Update your SSH server and client software to the latest versions to ensure security patches are applied.
Implement a firewall to restrict SSH access to trusted networks or IP addresses.
Consider using SSH key pairs with passphrase for an additional layer of security.
Periodically rotate SSH keys and revoke access for any compromised keys.
Follow the principle of least privilege by granting SSH access only to necessary users.
Enable two-factor authentication (2FA) for SSH, if supported by your SSH server.
Conclusion
By following this comprehensive guide, you have successfully set up SSH passwordless login in Linux. You have learned the key concepts, step-by-step configuration process, and best practices for secure and convenient remote access. SSH passwordless login enhances your system’s security and simplifies the authentication process, saving you time and effort. Remember to follow the recommended security measures to protect your SSH keys and maintain a secure environment for your Linux system.
Happy secure remote access in Linux!