Passwordless SSH logins on Linux

You Shall Not Password - Password-less SSH login

Passwordless SSH logins offer vast security improvements over standard password login. Additionally once setup passwordless logins offer a convenience of not having to enter a password when logging in from the same system.

 

Configure OpenSSH

Open the configuration file.

sudo nano /etc/ssh/sshd_config

 

Uncomment and or modify the desired lines in the configuration file and save.

PermitRootLogin no
PubkeyAuthentication yes
RSAAuthentication yes

Root login can be controlled with PermitRootLogin argument, yes to allow, no to disallow and without-password to allow only with public key authentication. This should be set to no in almost always for security purposes. Root access can still be gained with the use of sudo or su commands.

By default passwordless logins will fail because the relevant keywords are commented. Enable PubkeyAuthentication by uncommenting the line and verifying it is set to yes. If using rsa encryption RSAAuthentication argument should be set to yes otherwise to no or it can be left commented out as it is by default.

 

Setup Passwordless SSH login

Generate the RSA keys.

ssh-keygen -t rsa -b 2048

 

Change the passphrase of the private key if or when needed.

ssh-keygen -p

 

Copy the key to remote server.

ssh-copy-id username@192.168.0.100 -p 22

Enter the password of the remote system’s user when prompted. If using shared hosting the username should be the root account that was created when the service was first activated. This should be the same as the default ftp account though the password can and likely will differ. The port can be specified with the -p argument otherwise it will default to port 22.

 

Configure passwordless SSH login

Verify that only the expected keys were added on the remote system.

ssh username@192.168.0.100 "cat ~/.ssh/authorized_keys"

 

Set permissions on the key file in case they are incorrect.

ssh username@192.168.0.100 "sudo chmod 600 ~/.ssh/authorized_keys"

 

Set permissions on the SSH directory.

ssh username@192.168.0.100 "chmod 700 ~/.ssh"

 

Set permission on the user home directory.

ssh username@192.168.0.100 "chmod 700 ~/"

 

Login with SSH

Login to the remote server from Linux.

ssh username@192.168.0.100

Enter the passphrase used when creating the key with ssh-keygen. If a password is still required verbose output can be enabled by adding the -v argument to help troubleshoot the cause.

 

When permissions are incorrect a Remote: Ignored authorized keys: bad ownership or modes for directory /home/username/.ssh error will be shown in the verbose output. This error will prevent passwordless logins. Permissions need to be set correctly on the ~/.ssh/authorized_keys file as well as ~/.ssh directory and even ~/ directory for the key based login to work.