OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

Home » SSH login with certificates – NO password needed !!!

SSH login with certificates – NO password needed !!!

- by Zsolt Agoston - last edited on

You might have been wondering: do I really need to type in my long password every time I SSH into a remote server, possibly making a typo and starting the password all over again without seeing any feedback on the screen, hoping you get it right?

Well the good news is that there is a better way: by using certificates. If you have an SSH client on your computer you have your client ssh certificates created. These are basically the same X.509 SSL certificates you use with HTTPS, you have your public, and private keys generated and stored in the same location which is always: [userprofile]/.ssh. By the way it is the same in Windows too 🙂 , you have them under C:\Users\[username]\.ssh there. If you want to learn more about the PKI (asymmetric public-private key infrastructure) click HERE

In that location you see four important files:

  1. id_rsa: your private key
  2. id_rsa.pub: your corresponding public key
  3. authorized_keys: the collection of public keys of remote users who can authenticate with your account. This is the important file for us.
  4. known_hosts: the collection of the public keys of all the remote servers that you have ever visited
root@pve:~/.ssh# pwd
/root/.ssh
root@pve:~/.ssh# ls -lah
total 24K
drwxr-xr-x 2 root root 4.0K Mar 28 12:48 .
drwx------ 4 root root 4.0K Mar 28 10:48 ..
lrwxrwxrwx 1 root root   29 Mar 18 22:08 authorized_keys -> /etc/pve/priv/authorized_keys
-rw-r----- 1 root root  117 Mar 18 22:08 config
-rw------- 1 root root 1.8K Mar 18 22:08 id_rsa
-rw-r--r-- 1 root root  390 Mar 18 22:08 id_rsa.pub
-rw-r--r-- 1 root root  222 Mar 28 12:48 known_hosts
root@pve:~/.ssh#

HOW IT WORKS

The idea is simple: having our public key is basically the same as having our password in hand: if we present our public key to the remote server, and the server recognizes it as a trusted user, it will log us in.

The good news is that the SSH client starts by trying your public key first by default, when that fails you are prompted for your passwords.

We simply need to add the content of our private key file (id_rsa.pub) to the “authorized_keys” file on the remote server to be able to authenticate without typing in our password.

We have two users, Bob and Bill, solving this task two different ways. Let’s see Bob.

Bob wants to connect to “web” server as root with his public key. First, he makes sure that he has his ssh certificate files inside his ~/.ssh directory.

Bob@pve:~$ ls -lah ~/.ssh
total 8.0K
drwx------ 2 Bob Bob 4.0K Apr  5 17:02 .
drwxr-xr-x 3 Bob Bob 4.0K Apr  5 16:58 ..

OK, they are not there, so he creates generate them:

Bob@pve:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/Bob/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/Bob/.ssh/id_rsa.
Your public key has been saved in /home/Bob/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:QHQxkdhsPKfsOx1szS8OJXio5/6GlRLIpghMnclY0l0 Bob@pve
The key's randomart image is:
+---[RSA 2048]----+
| .*.+.+E=+       |
| o.* o..B..      |
|o    ..+ +       |
|..    +.+o       |
| . . o .Soo+.    |
|  . .  .o.*oo    |
|      . .B.. .   |
|       o+ o.. .  |
|       .o+....   |
+----[SHA256]-----+

He is ready for the next step!

AUTOMATED WAY

On the client machine Bob issues the ssh-copy-id command for root@web as follows, he uses the server’s IP address.

Bob@pve:~$ ssh-copy-id root@10.0.1.5
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/Bob/.ssh/id_rsa.pub"
The authenticity of host '10.0.1.5 (10.0.1.5)' can't be established.
ECDSA key fingerprint is SHA256:rhNf6NumTkLeOz5gz7DLo28dfbpZ3MbYIhEslMFzgZA.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.1.5's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@10.0.1.5'"
and check to make sure that only the key(s) you wanted were added.

He is naturally prompted for the root account’s password on the “web” machine, after he puts it in, the command does the rest of the job, adding his public key to the authorized keys on the remote box. Now he can simply log in without a password prompt

Bob@pve:~$ ssh root@10.0.1.5
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
 …
 …
Last login: Sun Apr  5 14:43:05 2020 from 10.255.255.15
root@web:~#

MANUAL WAY

Bill decides to do this the manual way. First, he lists the contents of his public key file and makes a copy of it.

Bill@pve:~$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIIEoSRT9fgoQzK3T8GL8QFZ8UwCfPqe5oa2kuoa27Fgpf6MpVqo2B3C6sazI82o0fzoMAilF8fy9r5b6ucO0vR5OpgWqLxTT7Vn2KebZm2U8EdAB8YY0iwZx0GBBhetG+1p9NEr2r0J441mqkRAIOShAsAXpDiWIbL5x5oc6pq+oQrXqS6sG/wwNqLKJGL3/nO+hlT8kwA4fJPCuLV1h0hZjeT9oXoZPfa8Za9yvdhwp5B2PHVfwi5XNl62gsvoD3dS+0W6ffQe9J2NqpytiHDtz8FT55m2Vbntc9rC9qsiB1Tan8NtBf1Qh1pynhx+b/JDwJu9TvtQSuCb9vYNef Bill@pve

Now he SSH into “web” as root, and opens up the /root/authorized_keys file. If he wanted to authenticate as a user called New on the same box, he would open /home/New/.ssh/authorized_keys, and append his key to the end. Note that as he is logging in as the target user on the server, he can simply use the ~ symbol that symbolizes the home folder of the target users (root or New as discussed here)

ssh root@10.0.1.5
vi ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsBQEJxrucq8k516Jgl9p+x56Jv1sJUvWiaxfsERvC/Lh9TspGfJwL+5jd/+zkskwDjShr2rLdVHbhR6hRtExrNnlzNg+ol6bEv8MWP3yjAjVwDaFveV7W+Hdt8i2IWmf5RaQLvT5zYg9wlhRY+riiVpn4hvfBX2yDhLFKmoFanF1koKqaLERur6dCD7B6lZo+u98fNSXUPNXP3YcuREloBpHmepIMZkFbA0u+vaocHBsgkRTmFCAegjpHJ1R+IjQK43Ur0j9WFg0+E+jKYisjEAFVaCyDxHcRBhPbcBAhsMHApA/CIXylm8ZWL0rvdzZ9YlQZpI8ezv1jOzGxfv4d Bob@pve
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIIEoSRT9fgoQzK3T8GL8QFZ8UwCfPqe5oa2kuoa27Fgpf6MpVqo2B3C6sazI82o0fzoMAilF8fy9r5b6ucO0vR5OpgWqLxTT7Vn2KebZm2U8EdAB8YY0iwZx0GBBhetG+1p9NEr2r0J441mqkRAIOShAsAXpDiWIbL5x5oc6pq+oQrXqS6sG/wwNqLKJGL3/nO+hlT8kwA4fJPCuLV1h0hZjeT9oXoZPfa8Za9yvdhwp5B2PHVfwi5XNl62gsvoD3dS+0W6ffQe9J2NqpytiHDtz8FT55m2Vbntc9rC9qsiB1Tan8NtBf1Qh1pynhx+b/JDwJu9TvtQSuCb9vYNef Bill@pve

He's all done, next time he tries to log in he he does so without receiving a password prompt 😉

SSH login with certificates – NO password needed !!!

Reader Interactions

Comments

Your email address will not be published. Required fields are marked *