Table of Contents
SSH public key authentication. ssh authorized_keys. ssh with key. ssh key login. linux enable ssh public key authentication. generate ssh key and add ssh key to server. ssh login with private key without password using authorized_keys. add public key to server. how to ssh with private key. Linux login without password. create ssh key. ssh add key. ssh keygen. login to linux server using ssh key. where are ssh keys stored. ssh use public key centos. rhel ssh public key authentication. rhel ssh key exchange. login to linux server without password centos.
PSSH is a utility to perform SSH from one server to multiple client nodes in parallel and perform certain task as defined. By default PSSH has -A argument using which the tool will prompt for password which will be used to connect to all the target host.
But we can also configure PSSH to use SSH public key authentication. You can login to multiple Linux server using SSH Key, either with passphrase or password less (without password).
-A --askpass Prompt for a password and pass it to ssh. The password may be used for either to unlock a key or for password authentication. The password is transferred in a fairly secure manner (e.g., it will not show up in argument lists). However, be aware that a root user on your system could potentially intercept the password.
How login to Linux server works without password?
Secure Shell relies on a technology called public-key cryptography. It works similarly to a safe deposit box at the bank: You need two keys to open the box or at least multiple layers of security/checks have to be crossed. In the case of public-key cryptography, you need two mathematical keys: a public one and a private one.
The actual process of encrypting data and sending it from one person to the next requires several steps. We’ll use the popular “Alice and Bob” analogy and go through the process one step at a time as they both try to communicate in a secure manner with one another.
Configure SSH public key authentication
In the below steps I will configure SSH public key authentication between 3 nodes for root user.
I have 3 nodes with me using which I will configure SSH public key authentication to login to Linux server without password
Here, I will generate SSH key pair on
centos-master using which we will attempt to login and connect to
centos-client nodes without password (using ssh public key authentication)
SSH communication is secured using public key cryptography. When a user connects to the SSH-server using SSH-client for the first time, the SSH program stores the SSH-server public key in the user’s home directory inside a file,
known_hosts, in a hidden folder named
1. Generate SSH key pair (private and public)
The first step would be to generate private and public ssh key. Here centos-master will be my master server.
In this step, the client uses a special utility, ssh-keygen, to generate an SSH key pair for authentication with the server. This utility is bundled with OpenSSH and by default it creates a 2048-bit RSA key pair. It supports RSA and DSA, both with different lengths of keys. A key length of 4096 bits is recommended for establishing a secure connection between two machines. The following diagram shows how to create a RSA (Rivest-Shamir-Adleman) key pair of 2048-bit:
[root@centos-master ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:WDIWm4i8/UhU/zjiKZrmGVcg5PZj5mzXT4aZd37Gnbs firstname.lastname@example.org The key's randomart image is: +---[RSA 2048]----+ | . o | | + . o = | | * + * o | | . * o = o | | . B + S . | | * * + = | | . B = = + .. ..| | .B o = o +..| | o= . .o Eo| +----[SHA256]-----+
2. Copy public key to remote Linux machine (authorized_keys)
When you connect to your remote host, SSH validates the key ID you’re providing against a list of
authorized_keys. There is one utility,
ssh-copy-id, which is also bundled with OpenSSH and can be used to copy the key to the remote system. It automatically copies the
~/.ssh/id_rsa.pub file by default into the remote system
ssh-copy-id because it copies the public key and also appends the public key to the
authorized_keys. Provide the path of the public key using
-i argument. This public key will be copied to our
centos-client-1 node and the content of the public SSH key will be appended to root user’s
[root@centos-master ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@centos-client-1 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@centos-client-1's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@centos-client-1'" and check to make sure that only the key(s) you wanted were added.
Similarly I will copy SSH public key to
centos-client-2 for root user’s
[root@centos-master ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@centos-client-2 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'centos-client-2'" and check to make sure that only the key(s) you wanted were added.
3. Configuring and Securing Login (sshd_config)
Additional security measures can be enabled by modifying the OpenSSH server configuration file
/etc/ssh/sshd_config, on the remote host. Following are the some steps that can be taken to secure the SSH logins:
Now, since we have configured the SSH key-based authentication in the previous section, we can disable the password authentication to secure SSH logins in the SSH server configuration file. Edit the SSH daemon config file on the remote host running the SSH server and set the
PasswordAuthentication directive value to no as shown here:
# vi /etc/ssh/sshd_config PasswordAuthentication no
Prohibit direct login as the root user through SSH, as the root user has unrestricted privileges and exists by default on every Linux system. To secure the root user account through SSH, we can do following changes in configuration file:Comment the line with the directive
PermitRootLogin as shown here:
Allow only key-based ssh login in the root account by setting the directive
PermitRootLogin value as
without-password as shown here:
After making changes in the SSH server configuration file
/etc/ssh/sshd_config, restart the
sshd service to bring the applied changes into effect, as shown here:
# systemctl restart sshd
Create ssh authenticating agent (ssh-agent)
However, we did still have to enter the password we set on the private SSH key. If you have to do this each time you want to connect to a remote host, it defeats the purpose of setting up key-based authentication. SSH agent, a small daemon that keeps unlocked private SSH keys in memory.
ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA, ECDSA, Ed25519).
ssh-agent is usually started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the
[root@centos-master ~]# eval `ssh-agent` ssh-add /root/.ssh/id_rsa Agent pid 4696 Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
Verify the process status
[root@centos-master ~]# ps -ef | grep ssh-agent root 4696 1 0 21:32 ? 00:00:00 ssh-agent root 4699 4004 0 21:32 pts/0 00:00:00 grep --color=auto ssh-agent
You can get PSSH rpm from EPEL repository
[root@centos-master ~]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm Preparing... ################################# [100%] Updating / installing... 1:epel-release-7-11 ################################# [100%]
Next you can install PSSH using
[root@centos-master ~]# yum install pssh
Perform parallel SSH (PSSH)
Now we are all setup with SSH public key authentication and we can execute PSSH without the need of giving any password. Additionally I am using some more SSHD options with PSSH to disable password based login and select passphrase based authentication.
[root@centos-master ~]# pssh -i -H "centos-client-1 centos-client-2" -l root -x "-o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes" hostname  23:07:10 [SUCCESS] centos-client-2 centos-client-2.example.com  23:07:10 [SUCCESS] centos-client-1 centos-client-1.example.com
As you see I did not use “-A” and yet the PSSH tool was able to connect to all the provided host without prompting for any password.
ssh-agent. You can use
kill -9 <PID of ssh-agent>
Lastly I hope the steps from the article to generate SSH Key pair and configure SSH public key authentication using PSSH with authorized_keys in RHEL/CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.