Configuring your SSH client and server to make use of public key authentication (asymmetric key pair) rather than a text password has various benefits, including:
- Logins can be automated, which saves time and eliminates the headaches of remembering passwords.
- Text passwords can be eliminated entirely, which can improve the security of machines that are accessible by non-trustworthy clients, especially if you happen to be using a weak password.
This article is a brief summary on how to configure automated access on a local network. Additional care and research should be expended if configuring this capability across the Internet / publicly accessible machines.
ssh client and sshd server are ubiquitous on *nix and macOS systems. We also use it on Windows 10 but via a Cygwin shell. Microsoft has recently reported that Windows 10 supports ssh natively, and there are some links below about this in the references section .
Note that the ssh client and server on Ubuntu Linux and macOS are from the OpenSSH project. From their site: "OpenSSH is the premier connectivity tool for remote login with the SSH protocol."
In addition to the ssh client and server, OpenSSH also includes utilities to automate your login, which we'll be using in this article, plus sftp (secure file transfer protocol) & scp (secure remote file copy).
If you're not familiar with asymmetric cryptography ( public / private key pair ), a great reference is Understanding Cryptography by Parr and Pelzl. It's well written, comprehensive, and relatively inexpensive. Also, the authors offer a companion two semester college course online for free (see crypto-textbook.com or youtube).
Generating a public / private key pair
The first thing we need to do is generate a pair of keys: public and private. The private key will remain hidden on the client, and the public key will be copied to each remote server that we wish to access automatically and securely. If the private key is ever suspected of being compromised or revealed, then both keys should be deleted and regenerated
The following transcript is from a terminal window on macOS Mojave (Version 10.14). The user name is "tony" and the keys will be stored in the default .ssh directory in the user's home directory.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/tony/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/tony/.ssh/id_rsa. Your public key has been saved in /Users/tony/.ssh/id_rsa.pub. The key fingerprint is: SHA256:Gcr+WDlev6fopWmh643m/iGOW8ZHGcp89WFkJr5fEhk tony@mac The key's randomart image is: +---[RSA 2048]----+ | . E | | . = o | | . . o = | | . + + + + o | | o S + . o .| | . . +. . o | | . O.+.. . | | XoB.B . | | +*X=B ++ | +----[SHA256]-----+
The randomart image shown above is a representation of the key that you may wish to recall. If you add VisualHostKey=yes to your .ssh/config file, then you'll see a unique image each time you log into a particular remote machine. This could help guard against trusting a compromised remote machine that had been swapped out and always accepts your login in an attempt to steal your data. The image is similar to what some banks and brokerage houses deploy, which require you to recognize an image as a safeguard when logging in.
ssh-keygen generated two files in our local .ssh directory
- id_rsa.pub: public key
- id_rsa: private key
From "man ssh-keygen": the id_rsa file contains "the protocol version 2 DSA, ECDSA, ED25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 128-bit AES.... ssh will read this file when a login attempt is made."
The id_rsa.pub file contains "the protocol version 2 DSA, ECDSA, ED25519 or RSA public key for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret."
For now, we'll skip the conveinence utility ssh-copy-id and show how to distribute the public key manually:
- View the id_rsa.pub file and copy the text.
- Login to the remote machine ( using ssh the old text based way). Edit .ssh/authorized_keys and paste the public key line that you just copied into the end of the file.
- Exit the file and ssh connection and log back in via ssh. You should be able to do it automatically without typing a password.
And it's even easier with ssh-copy-id:
$ ssh-copy-id -i .ssh/id_rsa.pub <remote host> /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Host key fingerprint is SHA256:... password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh <remote host>" and check to make sure that only the key(s) you wanted were added.
$ ssh <remote host> ... Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-47-generic x86_64) ... Last login: Sat Apr 20 23:15:17 2019 from 192.168.3.55
The other thing to consider once the automated login is working is whether you want to disable password logins. This can be done by modifying the /etc/ssh/sshd_config file on the server. Check your man pages for the relevant settings and only do this if you are able to get in front of the remote machine to login directly in case you break ssh remote login.
If the above instructions for automated login didn't work, check the config file on the remote sever: /etc/ssh/sshd_config. It should have the following line:
Note that when we ran ssh-keygen, we created an RSA key pair, which is the default. Other public key algorithms are supported and accepted. See the following:
- -t option for ssh-keygen (possible values are “dsa”, “ecdsa”, “ed25519”, or “rsa”)
- PubkeyAcceptedKeyTypes (see "man ssh_config")
Lastly, if you're having problems, take a look at the logs. If you edit your /etc/ssh/sshd_config file, you should see a couple lines under Logging:
# Logging SyslogFacility AUTH LogLevel DEBUG
Our file shown above has already been modified to send debugging information to the logs. On Ubuntu Linux 18.04, we can find log information in /var/log/auth.log.