Passwordless SSH Authentication

This guide will show you how to log in to your Linux servers without typing your password from your Windows OS.

What is Passwordless SSH Authentication?

Passwordless SSH Authentication is a more secure alternative than typing in your account password. It uses public-key cryptography for authenticating the hosts and users. This serves as proof(s) of identity required in lieu of passwords.

However, a more secure alternative does not mean unhackable. The public key is another type of credential, just like passwords. They should be removed from your server when they are no longer needed or compromised.

How does Passwordless SSH Authentication work?

Remember in the Movies, when the lovers separated, they broke a necklace or medallion in half? Only when they got back together, could they put it as one, and true love win the day? Same thing here.

The client (your computer) generates the SSH key pair, which is a public key and a private key. You only need to do this once.

The client's public key is something that the computer always hand out to anyone, even the bad guys. The client's private key is the only key that will pair with its own public key. This is the proof of identity that the public key belongs to the client.

To make it simpler, the public key is the padlock and the private key is the key to that padlock.

The process:

  1. The client tries to connect to the server by SHH using its Public key.
  2. The server verifies the client Public key if it matches with any of its Public keys in the authorized_keys file.
  3. Once the server matches the client's Public key with the authorized_keys file, the server challenges the client with an encrypted message. If the client can figure it out, they can connect.
  4. The client decrypts the encrypted message with the private key.
  5. The client hash out a few parameters and they both get the party started.

As the commands and responses are encrypted, any Man-In-The-Middle attack will not have the ability to read their traffic, providing better security than Password-based logins. The attacker will need to have both keys.

To set up passwordless SSH within your environment, it requires you to complete three main steps:

  1. Generating client's SSH key pair.
  2. Check if .ssh folder exists in the home directory of the remote account.
  3. Upload the public key to the server.

Generating client SSH key pair

In Windows OS, open PowerShell and execute the line below:

ssh-keygen.exe -b 4096
4096 is the number of bits, the bigger the better

It will prompt you for the file in which to save the key. Let's use the default option, leave blank and ENTER to continue.

Enter file in which to save the key (C:\Users\user/.ssh/id_rsa):

You can enter a passphrase to have more security. However, each time you connect, you have to key in your passphrase, making it no longer a Passwordless login.

Leave blank and press ENTER for an empty passphrase for both prompts.

Created directory 'C:\Users\user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Take note of the location of both your private and public keys.

  • Public key -> id_rsa.pub
  • Private key -> id_ras
Your identification has been saved in C:\Users\user/.ssh/id_rsa.
Your public key has been saved in C:\Users\user/.ssh/id_rsa.pub.

Check if .ssh folder is missing in ~/

The server needs to know who you are. This will be done by uploading the public key that you just generated. But before that, you need to make sure the destination folder (~/.ssh) exist.

SSH to the server with your login password.

ssh [email protected]

Do a ls -al command to check if the .ssh folder is in your home directory.

myusername@ubuntu-demo:~$ ls -al
total 28
drwxr-x--- 3 myusername myusername 4096 Jan 21 07:23 .
drwxr-xr-x 3 root       root       4096 Jan 21 06:48 ..
-rw------- 1 myusername myusername   88 Jan 21 08:36 .bash_history
-rw-r--r-- 1 myusername myusername  220 Jan 21 06:48 .bash_logout
-rw-r--r-- 1 myusername myusername 3771 Jan 21 06:48 .bashrc
drwx------ 2 myusername myusername 4096 Jan 21 07:22 .cache
-rw-r--r-- 1 myusername myusername  807 Jan 21 06:48 .profile

If it is not there, run the command below to create and give read permission to everyone who needs it.

mkdir ~/.ssh && chmod 700 ~/.ssh
~ means your home directory, equivalent to windows $env:USERPROFILE

Log out from the SSH.

Upload the Public Key to the server

This is the final step. But, how do we upload to the server? By using the scp command.

scp $env:USERPROFILE/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
SCP (secure copy) is a command-line utility that allows you to securely copy files and directories between two locations using Port 22, the same as SSH.

Test your Passwordless SSH login

Time to ensure that the key is actually working as intended. To test the key, log in to the server again as you would normally. No password is needed.

ssh [email protected]
It will automatically login

If the login still asks for your password, try changing the permissions to the authorized_keys file to 600 and retry.

chmod 600 ~/.ssh/authorized_keys

Pros and Cons of using Passwordless SSH

There are always pros and cons when it comes to security. If you want to start using it, please understand the potential risk before they appear.

Pros:
  • Makes authentication exprience pleasent
  • Better security against brute force attacks
  • Connects more quickly than typing in your password
  • Allows automation scripts and background file transfer securely

Cons:

  • Public keys will pile up if you don't do any key management at the server
  • Man-In-The-Attacks is still a risk if both your public and private keys are stolen or compromised (which is why key management is important)

Conclusions

Vulnerabilities are everywhere, and no security is perfect. If these risks are addressed with caution and best practices are followed, you should be fine.