Public key authentication is used to access remote systems without having to type in a password to login every time. This is made possible by creating a SSH public-private key pair on the local system from where the user is trying to access the remote system. The public key can be uploaded to all remote systems, to make password less logins work from local to remote systems.
- Generating SSH key pair
- Copying public key to remote systems
- Copying public key to multiple remote systems with for loop and sshpass
- Copying public key to remote systems manually
- Troubleshooting failed SSH public key / password less authentication.
Generating SSH key pair
The easiest way to generate ssh key pair is to run the ssh-keygen without passing any arguments.
userA@localhost:~$ ssh-keygen
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:fdSgjbnEV4Hgfoe5YM393QddsK3Z0aTNBz0DoirrW+c userA@localhost The key's randomart image is: +---[RSA 2048]----+ | . ..oo..| | . . . . .o.X.| | . . o. ..+ B| | . o.o .+ ..| | ..o.D o.. | | . %o= . | | @.B... . | | o.=. o. . . .| | .oo F. . .. | +----[SHA256]-----+
The keys are stored in /home/user/.ssh directory by default. This can be changed by passing argument ‘-f /path/to/key’, also the ssh-keygen tool provides an option to specify the path to file where the keys are stored.
As seen in the above example the tool prompts for an optional passphrase which is used to protect the private key.
The keys can be encrypted with RSA, DSA, ECDSA algorithms, by passing it with the ‘-t’ argument.
One can also specify the key size using the ‘-b’ argument.
Example:
ssh-keygen -t rsa -b 4096 ssh-keygen -t dsa ssh-keygen -t ecdsa -b 521 ssh-keygen -t ed25519
Copying public key to remote systems
Public key can be copied to remote system with the ssh-copy-id command.
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehost #-i is used to specify the path to the public key
Copying public key to multiple remote systems with for loop and sshpass
One can use sshpass to quickly upload public keys to multiple hosts and without having to type in password multple times. This should work as long as the password is the same for the remote user on all systems. Also, sshpass needs to be installed for this to work.
Create a file ‘server-list’ with list of servers one per line and a file containing the password of remote user, and run the below command from the same directory.
for i in `cat server-list`; do sshpass -f mypassword_file ssh-copy-id -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no username@$i; done
Note that, this uses sshpass to read password stored as plain text. You can remove this file immediately after the task is completed. However if you’re concerned about security, you can choose to type in the password manually every time. In this case, just create the server-list file and run the below command from the same directory.
for i in `cat server-list`; do ssh-copy-id -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no username@$i; done
Note that public key authentication does not need the same user to be present on both local and remote systems.
For example:
UserA can generate a key pair and copy the public key to UserB’s ~/.ssh/authorized_keys file on remote host. Once this is done, UserA can run the below command and login password less to remotehost as userB.
userA@localhost:~$ ssh userB@remotehost
Copying public key to remote systems manually
Note that one can also copy the contents of the public key (id_rsa.pub) from local to remote manually. One has to just copy the contents carefully without any additional white spaces or line breaks and append it to remote user’s Authorised_key’s file (~/.ssh/authorized_keys). The below one liner copies the public key and appends it to the remote user’s authorized_keys.
cat ~/.ssh/id_rsa.pub | ssh username@hostname 'cat >> .ssh/authorized_keys && echo "Key copied successfully!"'
Note: If the .ssh directory does not exist or is not yet created on the remote user’s home, then this might fail. In this case, one has to ensure that .ssh is created before running the command.
Troubleshooting failed SSH public key / password less authentication.
1. If the home directory has changed for remote user, then .ssh has to be copied from old home directory to the new one
cp -rp /home/user/.ssh /new_home/user/.ssh
2. Public key authentication fails to work when the home directory or .ssh or authorized_keys of remote user has write permissions set for group and others.
Below are the recommended permissions to ensure correct working of password less authentication using public keys.
#Run the below on remote host as remote user, to fix permissions. chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chmod go-w ~