How to setup SSH passwordless login in RHEL6&7



Issue

  • How to setup SSH password-less login
  • How do I setup SSH passwordless login
  • How to install SSH identity key onto a remote host on Red Hat Enterprise Linux
  • How to transfer files between servers without username/password.
·         Getting below error on ssh client side even after appending rss public key to remote server:
Trying below from primary server after configuring rsa key:
[user@server]$ ssh someuser@1.2.3.4
Connection closed by 1.2.3.4
·         Getting below error on ssh server side in /var/log/secure:
sshd[xxxx]: Authentication refused: bad ownership or modes for directory /home/XXX
 

Resolution

1.      If an SSH authentication-key file does not exist, generate one by running the ssh-keygen command
When prompted for a passphrase, use a blank passphrase if fully password-less login is required:
 [user@ssh-client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
1e:b2:f4:89:5a:7f:2d:a5:a5:4d:6d:66:2c:82:d8:18 root@ssh-client
2.      Use the ssh-copy-id command to install the public half of the newly-generated authentication key into a specific user's home directory on a specific (likely remote) host:
 [user@ssh-client ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@ssh-server
user@ssh-server's password:
 
  ~~~
  Alternatively if the server is not installed with openssh-clients you can copy the authentication key with  the command:
  cat ~/.ssh/id_rsa.pub | ssh user@123.45.56.78 "cat >> ~/.ssh/authorized_keys"
  ~~~
 
Now try logging into the machine, with ssh 'user@ssh-server', and check in:
  ~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
3.      When prompted, provide the password of the remote user.
The ssh-copy-id command will then automatically append the identity information into the ~/.ssh/authorized_keys file for the specified user on the remote host (creating ~/.ssh and~/.ssh/authorized_keys if necessary)
4.      Logout and then initiate an ssh connection again -- it should not require entering a passphrase. If it still prompts for a passphrase and you want passwordless authentication then use the "ssh-add" to add the passphrase to the authentication agent.

==>lf you failed to login using SSH publickey authentication

·         The most common cause of problems with getting key-based ssh authentication to work is file permissions on the remote ssh server
If the above steps were followed and ssh'ing to the appropriate user is still prompting for passwords, inspect the permissions on both the local and remote user's files, per the following command:
 [user@ssh-server ~]$ ls -ld ~/{,.ssh,.ssh/authorized_keys*}
drwx------. 25 user user 4096 Aug 21 11:01 /home/user/
drwx------.  2 user user 4096 Aug 17 13:13 /home/user/.ssh
-rw-------.  1 user user  420 Aug 17 13:13 /home/user/.ssh/authorized_keys
    • Ensure that the permissions to the directory and file is as follows:
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh/
If group or other permissions for any of those 3 files contain w (write), key-based authentication will fail. If the requirement is to keep the permissions other than those specified above, disable strictmodes in /etc/ssh/sshd_config:
StrictModes no
And, restart sshd service:
 [root@ssh-server ~]# service sshd restart
NOTE: After disabling strict modes sshd would not check file modes and ownership of the user’s files and home directory before accepting login.*
·         SELinux can also potentially prevent sshd from accessing the ~/.ssh directory on the server
This problem can be ruled out (or resolved) by running restorecon as follows on the remote user's ~/.ssh directory:
 [user@ssh-server ~]$ restorecon -Rv ~/.ssh

==>How to use RSA public key authentication:

Must be configured to /etc/ssh/sshd_config:
RSAAuthentication yes
PubkeyAuthentication yes
To enable the change, restart the SSH daemon:
 [root@ssh-server ~]# service sshd restart

Comment

  • To prevent unauthorized use of an ssh private key, make sure to enter a passphrase when generating a key with ssh-keygen

==>Diagnostic Steps

·         If the ssh-copy-id -i ~/.ssh/id_rsa.pub user@ssh-server command syntax is used and the an attempted login is tried and a passphrase is prompted for (and this is not desired), then please create a new key with ssh-keygen. Hit enter to leave the key passphrase blank (if desired).
·         Example Output:
root@testbox# ssh root@192.168.122.63
Enter passphrase for key '/root/.ssh/id_rsa': 
Enter passphrase for key '/root/.ssh/id_rsa': 
Enter passphrase for key '/root/.ssh/id_rsa': 
root@192.168.122.63's password: 
Last login: Sat Apr 12 19:51:39 2014 from 192.168.122.1
  • After regenerating the key:
root@testbox# ssh root@192.168.122.63
Last login: Sat Apr 12 19:54:14 2014 from 192.168.122.1
[root@testbox ~]#
·         The Enter passphrase for key prompt no longer appears.
·         Check if the following line is uncommented in the /etc/ssh/sshd_config file.
AuthorizedKeysFile /root/.ssh/authorized_keys
This caused the server to look for the authorized_keys in the /root file system instead of /home/user1/authorized_keys file.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)