About technologies for your digital home

For beginners and tinkerers

Passwordless SSH

December 15th, 2014

In this post, I will show how to setup a passwordless SSH login from both Linux and Windows to a Linux SSH server.

Pros and cons of traditional SSH login

A traditional SSH login is based on password authentication and the passwords are encrypted during the transmission. That is a lot better compared to an older Telnet protocol, during which the passwords were sent in a clear format. However, SSH password-based (even with pretty strong passwords) authentication might be not the most suitable for Linux systems which have the access from Internet. Earlier or later, there will appear someone willing to get into your system.

How do I know this? Well, I will give a simple example from a real life 🙂

Here is an extract from my web-server authentication log:

SSH public key authentication
As you can see, the host 122.228.207.244 tried to brute force the password 😉

You can check your own Ubuntu or Debian-based system by opening the file with the command:

sudo nano  /var/log/auth.log

Another option is to use this command to filter your authentication records for potential trials of intrusions:

cat /var/log/auth.log | grep Failed

After checking this file, you will know if some of such trials are in place.

Of course, you can see some records only if SSH logging was enabled.

This can be done in a SSH config file:

sudo nano /etc/ssh/sshd_config

The name of the variable to control logging is LogLevel:

LogLevel INFO

So, the solution to this is to use public key based authentication.

SSH using public key authentication

How does it work?

There are two keys which are used for the authentication. First of them is a private key, which is unique and you should keep safe (a private!). Second key is used only to check if the sent (first) key is valid. There are no security concerns related to this second one.

Generate the keys

Generate ssh keys with ssh-keygen on machine A with Linux:

Public key authentication SSH

In this case, the pair of the keys will be stored within /home/username/.ssh

You have to issue the command from the user’s home directory:

cat .ssh/id_rsa.pub >> .ssh/authorized_keys’

If you are going to use those keys for login from remote machines (Linux or Windows), you have to use SFTP to copy them.

Enable public keys authentication for SSH

Do not forget that the public key authentication should be enabled in your SSH (Debian or Ubuntu) service config:

sudo nano /etc/ssh/sshd_config
PubkeyAuthentication yes

Using key authentication from other Linux machine

For SSH connection, that would look like:

ssh -i /home/2nd_user/.ssh/id_rsa”

and you should appear on 1st Linux machine 😉

Using key authentication from Windows machine

In Windows, you could use Putty client to connect to a Linux SSH server using public key authentication. However, you should convert the keys generated on Linux into Putty’s format and only then to use them for the authentication.

If you installed a full Putty package, it should something similar like this:

Public key authentication SSH

The program PuTTYgen will be used for keys conversion.

After loading the key, Putty produced such message:

Public key authentication SSH

 

After that, you can open Pytty and configure the connection:

Public key authentication SSH

You have to tweak that connection a little bit by going to ‘Connection-> Auth-> Private key for authentication’ and choosing earlier generated key.

You have just learned how to use passwordless SSH 😉

One last thing

When you are sure that all your config is OK, you can disable the password authentication for SSH. This can be achieved by editing SSH config file:

sudo nano /etc/ssh/sshd_config
PasswordAuthentication no

Enjoy safer SSH!