Secure Shell (SSH)
Secure Shell (SSH) is a network protocol that enables secure communications between an SSH client and an SSH server over an unsecured network (e.g. the Internet). Classically SSH offers two high-level mechanisms for authentication – passwords and public-key cryptography. Public-key authentication is generally considered more secure because it avoids the need for storing passwords and eliminates the possibility of a compromised server giving up user passwords. A modern alternative is using passwordless SSH connections that employ a high-assurance authenticator instead of vulnerable passwords or cumbersome PKI.
When generating public-private key pairs, an optional passphrase can be set to encrypt and protect access to the private key. If no passphrase is set then users/applications authenticate using only their private key and without the use of a password – in other words, passwordless authentication. And even when a passphrase is set, it is used only to decrypt the private key and not to authenticate the user.
To set up a passwordless SSH login in Linux, you will need to:
- Generate a public-private key pair. If you already have keys on your client machine, then you can either use them instead of creating new ones or generate new ones. Creating new keys will overwrite existing keys. To generate a new SSH key pair type the following command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
This will create an RSA key pair that is 4096 bits long and label the keys with the email address you choose.
Unless specified otherwise, the keys will be stored in a default file location with a default file name:
- The ssh-keygen command will prompt the user to choose a security passphrase.Enter passphrase (empty for no passphrase):Passphrases are optional. If you choose not to apply one, then just press ‘Enter’ instead of setting a passphrase. Choosing not to add a passphrase results in passwordless SSH authentication. This is especially useful when the connecting SSH client is used by an unattended system/app. It is also the way to implement passwordless user authentication.
- To verify that the SSH keys were generated, you can list your new private and public keys with the following command:ls ~/.ssh/id_*/home/yourusername/.ssh/id_rsa/home/yourusername/.ssh/id_rsa.pub
At this point, all that remains to be done to enable login to your server without a password is to copy the public key to the server you want to connect to.
- Copy the public key to the server by typing the following command (requires the ssh-copy-id utility to be installed on the host):ssh-copy-id [email protected]_ip_addressYou will be prompted to enter the remote_server_username password.
[email protected]_ip_address’s password:Once the user is authenticated, the public key will be added to the remote user authorized_keys file and the connection will be closed.
Now that passwordless SSH login is configured, to prevent password-based login you will need to disable password-based authentication. To do this, you will need sudo user privileges.
- Log into your remote server with the SSH keys as a user with sudo privileges:
ssh [email protected]_ip_address
Open the SSH configuration file /etc/ssh/sshd_config and modify it as follows:
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no PubkeyAuthentication yes
For the change to take effect, save the file and restart the SSH service.
You are now setup with passwordless SSH login to your server.
Passwordless SSH means the SSH client connecting to the SSH server does not need to present the account password in order to establish the connection. Instead, the client uses an asymmetric cryptographic key pair (private key on the client) to authenticate.
Passwords are considered vulnerable because they are easy to steal and in many cases also easy to break. Passwordless authentication, when implemented properly using sound cryptography or other means, can provide a higher security for authentication.
Removing vulnerable passwords from the security equation makes passwordless SSH more secure.
Passwordless authentication is any authentication scheme that does not rely on the user having to recall a string (a password) that is used as a shared secret between two parties. Passwordless authentication could therefore be implemented in any number of ways. Common ways to implement it include cryptography and biometrics.
Passwordless SSH authentication is typically based on asymmetric cryptography (private and public key pair). You may use an authentication token to store the private key.