Passwordless SSH Authentication
This guide will show you how to log in to your Linux servers without typing your password from your Windows OS.
What is Passwordless SSH Authentication?
Passwordless SSH Authentication is a more secure alternative than typing in your account password. It uses public-key cryptography for authenticating the hosts and users. This serves as proof(s) of identity required in lieu of passwords.
However, a more secure alternative does not mean unhackable. The public key is another type of credential, just like passwords. They should be removed from your server when they are no longer needed or compromised.
How does Passwordless SSH Authentication work?
Remember in the Movies, when the lovers separated, they broke a necklace or medallion in half? Only when they got back together, could they put it as one, and true love win the day? Same thing here.
The client (your computer) generates the SSH key pair, which is a public key and a private key. You only need to do this once.
The client's public key is something that the computer always hand out to anyone, even the bad guys. The client's private key is the only key that will pair with its own public key. This is the proof of identity that the public key belongs to the client.
To make it simpler, the public key is the padlock and the private key is the key to that padlock.
The process:
- The client tries to connect to the server by SHH using its Public key.
- The server verifies the client Public key if it matches with any of its Public keys in the
authorized_keys
file. - Once the server matches the client's Public key with the
authorized_keys
file, the server challenges the client with an encrypted message. If the client can figure it out, they can connect. - The client decrypts the encrypted message with the private key.
- The client hash out a few parameters and they both get the party started.
As the commands and responses are encrypted, any Man-In-The-Middle attack will not have the ability to read their traffic, providing better security than Password-based logins. The attacker will need to have both keys.
To set up passwordless SSH within your environment, it requires you to complete three main steps:
- Generating client's SSH key pair.
- Check if
.ssh
folder exists in the home directory of the remote account. - Upload the public key to the server.
Generating client SSH key pair
In Windows OS, open PowerShell and execute the line below:
It will prompt you for the file in which to save the key. Let's use the default option, leave blank and ENTER
to continue.
Enter file in which to save the key (C:\Users\user/.ssh/id_rsa):
You can enter a passphrase to have more security. However, each time you connect, you have to key in your passphrase, making it no longer a Passwordless login.
Leave blank and press ENTER
for an empty passphrase for both prompts.
Created directory 'C:\Users\user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Take note of the location of both your private and public keys.
- Public key -> id_rsa.pub
- Private key -> id_ras
Your identification has been saved in C:\Users\user/.ssh/id_rsa.
Your public key has been saved in C:\Users\user/.ssh/id_rsa.pub.
Check if .ssh folder is missing in ~/
The server needs to know who you are. This will be done by uploading the public key that you just generated. But before that, you need to make sure the destination folder (~/.ssh) exist.
SSH to the server with your login password.
ssh [email protected]
Do a ls -al
command to check if the .ssh
folder is in your home directory.
myusername@ubuntu-demo:~$ ls -al
total 28
drwxr-x--- 3 myusername myusername 4096 Jan 21 07:23 .
drwxr-xr-x 3 root root 4096 Jan 21 06:48 ..
-rw------- 1 myusername myusername 88 Jan 21 08:36 .bash_history
-rw-r--r-- 1 myusername myusername 220 Jan 21 06:48 .bash_logout
-rw-r--r-- 1 myusername myusername 3771 Jan 21 06:48 .bashrc
drwx------ 2 myusername myusername 4096 Jan 21 07:22 .cache
-rw-r--r-- 1 myusername myusername 807 Jan 21 06:48 .profile
If it is not there, run the command below to create and give read permission to everyone who needs it.
Log out from the SSH.
Upload the Public Key to the server
This is the final step. But, how do we upload to the server? By using the scp
command.
Test your Passwordless SSH login
Time to ensure that the key is actually working as intended. To test the key, log in to the server again as you would normally. No password is needed.
If the login still asks for your password, try changing the permissions to the authorized_keys file to 600 and retry.
chmod 600 ~/.ssh/authorized_keys
Pros and Cons of using Passwordless SSH
There are always pros and cons when it comes to security. If you want to start using it, please understand the potential risk before they appear.
Pros:
- Makes authentication exprience pleasent
- Better security against brute force attacks
- Connects more quickly than typing in your password
- Allows automation scripts and background file transfer securely
Cons:
- Public keys will pile up if you don't do any key management at the server
- Man-In-The-Attacks is still a risk if both your public and private keys are stolen or compromised (which is why key management is important)
Conclusions
Vulnerabilities are everywhere, and no security is perfect. If these risks are addressed with caution and best practices are followed, you should be fine.