SSH: authentication by keys

In this tutorial, I will explain how to connect to a linux server / computer in SSH without password using a key pair (private / public).

Generate the key pair with ssh-keygen

To generate a pair of keys, you must have an SSH client available, it is possible to do it from Windows 10 or a Linux.

In this tutorial, I used my Windows 10 computer.

To generate a key pair, enter the command below:

ssh-keygen -b 4096

-b 4096 allows to generate a key on 4096 bit, by default it is 2048

First, the generator asks you to indicate the file where it is stored, by default the name of the id_rsa file. To use the default, press Enter.

If you have any doubts, check first if a key pair is present in the user / .ssh folder of your computer, because it will be overwritten.

Then you can enter a password to protect the private key, leave blank to have no password.

If you enter a password it will be requested at each connection, in a critical environment, I advise you to put a password.

After validation of the password, the key is generated:

Then go to the .ssh folder and display the content, we find the files of our key pair.

The id_rsa file is the private key, the one that must remain on your computer and the id_rsa.pub file is the public key that we will install the SSH server (s) to connect to.

I strongly recommend that you save your key pair.

Configure the SSH server

Now that we have a pair of keys, we will configure our SSH server to connect to it as a pair of keys.

In fact, we will mainly configure our public key on a user account to connect without a password (rdrit).

Of course, we don’t do that on the root account …

On the linux server, go to the home folder of the user you want to connect with.

Check on the .ssh file is present (ll).

If the folder does not exist, create the:

mkdir .ssh

In the .ssh folder if it is present, check if the authorized_keys file exists. Otherwise it must be created:

touch .ssh/authorized_keys

Then edit the authorized_keys file with nano for example, in which we will copy the public key.

nano .ssh/authorized_keys

Copy the public key that is in the id_rsa.pub file.

Exit the editor by saving the file.

From now on, you can connect from your computer to the linux computer in SSH without password.

ssh utilisateur@ip_serveur

Disable password authentication on the SSH server

This step is optional, but to increase the security level of your server, a brute force attack with a 4096 bit private key is very long and difficult to perform.

Before performing this operation, it is necessary to take a very important precaution, with access to the computer other than in SSH, that is to say a KVM type access for a VPS on rent on the Internet or access to Hyper-V / VMWare type consoles or for a physical server, physical access or by ILO / Idrac.

In the case of a leased physical server (Scaleway, OVH, etc.), entry-level servers do not have KVM access, in the event of loss of your public or private key, it will be impossible to resume hand from above.

Edit the SSH server configuration file

sudo nano /etc/ssh/sshd_config

Look for the PasswordAuthentication directive, if it is commented out, uncomment it and pass the value to no. If it does not exist created the line.

Save the file and restart the ssh service to apply the configuration.

sudo systemctl restart sshd

It is now no longer possible to log in with a password.

Use sudo without password

Last part of this tutorial, I will explain how to make sure that you do not have a password request when using sudo.

This manipulation increases the exposure of your server, especially if your private key is stolen.

Open the / etc / sudoers file with nano.

sudo visudo /etc/sudoers

At the end add the line below adapting to your user:

utilisateur    ALL=(ALL) NOPASSWD:ALL

Save the file.

Now you can run sudo commands without requiring a password.




Leave a Comment