RHCSA Rapid Track
Configure a user account to use key-based authentication to log in to remote systems securely without a password.
You can configure your account for passwordless access to SSH servers that enabled key-based authentication, which is based on public key encryption (PKI).
To prepare your account, generate a cryptographically related pair of key files. One key is private and held only by you. The second key is your related public key, which is not secret. The private key acts as your authentication credential, and it must be stored securely. The public key is copied to your account on servers that you will remotely access, and verifies your use of your private key.
When you log in to your account on a remote server, the remote server uses your public key to encrypt a challenge message and send it to your SSH client. Your SSH client must then prove that it can decrypt this message, which demonstrates that you have the associated private key. If this verification succeeds, then your request is trusted, and you are granted access without giving a password.
Passwords can be easily learned or stolen, but securely stored private keys are harder to compromise.
Use the ssh-keygen command to create a key pair. By default, the ssh-keygen command saves your private and public keys in the ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files, but you can specify a different name.
[user@host ~]$ssh-keygenGenerating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa):EnterCreated directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase):EnterEnter same passphrase again:EnterYour identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:vxutUNPio3QDCyvkYm1 user@host.lab.example.com The key's randomart image is: +---[RSA 2048]----+ | | | . . | | o o o | | . = o o . | | o + = S E . | | ..O o + * + | |.+% O . + B . | |=*oO . . + * | |++. . +. | +----[SHA256]-----+
You can choose to provide a passphrase to ssh-keygen, which is used to encrypt your private key. Using a passphrase is recommended, so that your private key cannot be used by someone to access it. If you set a passphrase, then you must enter the passphrase each time that you use the private key. The passphrase is used locally to decrypt your private key before use, unlike your password, which must be sent in clear text across the network for use.
You can use the ssh-agent key manager locally, which caches your passphrase on first use in a login session, and then provides the passphrase for all subsequent private key use in the same login session. The ssh-agent command is discussed later in this section.
In the following example, a passphrase-protected private key is created with the public key.
[user@host ~]$ssh-keygen -f .ssh/key-with-passGenerating public/private rsa key pair. Enter passphrase (empty for no passphrase):your_passphraseEnter same passphrase again:your_passphraseYour identification has been saved in .ssh/key-with-pass. Your public key has been saved in .ssh/key-with-pass.pub. The key fingerprint is: SHA256:w3GGB7EyHUry4aOcNPKmhNKS7dl1YsMVLvFZJ77VxAo user@host.lab.example.com The key's randomart image is: +---[RSA 2048]----+ | . + =.o ... | | = B XEo o. | | . o O X =.... | | = = = B = o. | |= + * * S . | |.+ = o + . | | + . | | | | | +----[SHA256]-----+
The ssh-keygen command -f option specifies the files to save the keys in. In the preceding example, the ssh-keygen command saved the key pair in the /home/user/.ssh/key-with-pass and /home/user/.ssh/key-with-pass.pub files.
Warning
During new ssh-keygen command use, if you specify the name of an existing pair of key files, including the default id_rsa pair, you overwrite that existing key pair, which can be restored only if you have a backup for those files. Overwriting a key pair loses the original private key that is required to access accounts that you configured with the corresponding public key on remote servers.
If you cannot restore your local private key, then you lose access to remote servers until you distribute your new public key to replace the previous public key on each server. Always create backups of your keys, if they are overwritten or lost.
Generated SSH keys are stored by default in the .ssh subdirectory of your home directory. To function correctly, the private key must be readable and writable only by the user that it belongs to (octal permissions 600). The public key is not secure, and anyone on the system might also be able to read it (octal permissions 644).
To configure your remote account for access, copy your public key to the remote system. The ssh-copy-id command copies the public key of the SSH key pair to the remote system. You can specify a specific public key with the ssh-copy-id command, or use the default ~/.ssh/id_rsa.pub file.
[user@host ~]$ssh-copy-id -i .ssh/key-with-pass.pub user@remotehost/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys user@remotehost's password:Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'user@remotehost'" and check to make sure that only the key(s) you wanted were added.redhat
After you place the public key, test the remote access, with the corresponding private key. If the configuration is correct, you access your account on the remote system without being asked for your account password. If you do not specify a private key file, then the ssh command uses the default ~/.ssh/id_rsa file if it exists.
Important
If you configured a passphrase to protect your private key, then SSH requests the passphrase on first use. However, if the key authentication succeeds, then you are not asked for your account password.
[user@host ~]$ssh -i .ssh/key-with-pass user@remotehostEnter passphrase for key '.ssh/key-with-pass':...output omitted... [user@remotehost ~]$your_passphrase
If you encrypt your private key with a passphrase, then you must enter the passphrase each time that you use the private key for authentication. However, you can configure the ssh-agent key manager to cache passphrases. Then, each time you use SSH, the ssh-agent key manager provides the passphrase for you. Using a key manager is convenient and can improve security by providing fewer opportunities for other people to observe your passphrase.
The ssh-agent key manager can be configured to start automatically when you log in. The GNOME graphical desktop environment can automatically start and configure the ssh-agent key manager. If you log in to a text environment, then you must start the ssh-agent program manually for each session. Start the ssh-agent program with the following command:
[user@host ~]$ eval $(ssh-agent)
Agent pid 10155When you manually start the ssh-agent command, it runs additional shell commands to set environment variables that are needed for use with the ssh-add command. You can manually load your private key passphrase to the key manager by using the ssh-add command.
The following example ssh-add commands add the private keys from the default ~/.ssh/id_rsa file and then from a ~/.ssh/key-with-pass file:
[user@host ~]$ssh-addIdentity added: /home/user/.ssh/id_rsa (user@host.lab.example.com) [user@host ~]$ssh-add .ssh/key-with-passEnter passphrase for .ssh/key-with-pass:Identity added: .ssh/key-with-pass (user@host.lab.example.com)your_passphrase
The following ssh command uses the default private key file to access your account on a remote SSH server:
[user@host ~]$ ssh user@remotehost
Last login: Mon Mar 14 06:51:36 2022 from host.example.com
[user@remotehost ~]$The following ssh command uses the ~/.ssh/key-with-pass private key to access your account on the remote server. The private key in this example was previously decrypted and added to the ssh-agent key manager; therefore the ssh command does not prompt you for the passphrase to decrypt the private key.
[user@host ~]$ ssh -i .ssh/key-with-pass user@remotehost
Last login: Mon Mar 14 06:58:43 2022 from host.example.com
[user@remotehost ~]$When you log out of a session that used an ssh-agent key manager, all cached passphrases are cleared from memory.
SSH can appear complex when remote access with key pair authentication is not succeeding. The ssh command provides three verbosity levels with the -v, -vv, and -vvv options, which respectively provide increasing debugging information during ssh command use.
The next example demonstrates the information that is provided when using the lowest verbosity option:
[user@host ~]$ssh -v user@remotehostOpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/01-training.conf debug1: /etc/ssh/ssh_config.d/01-training.conf line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf ...output omitted... debug1: Connecting to remotehost [192.168.1.10] port 22.
debug1: Connection established. ...output omitted... debug1: Authenticating to remotehost:22 as 'user'
...output omitted... debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
...output omitted... debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:hDVJjD7xrUjXGZVRJQixxFV6NF/ssMjS6AuQ1+VqUc4
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA SHA256:hDVJjD7xrUjXGZVRJQixxFV6NF/ssMjS6AuQ1+VqUc4
Authenticated to remotehost ([192.168.1.10]:22) using "publickey". ...output omitted... [user@remotehost ~]$
| OpenSSH and OpenSSL versions. |
| OpenSSH configuration files. |
| Connection to the remote host. |
| Trying to authenticate the user on the remote host. |
| Authentication methods that the remote host allows. |
| Trying to authenticate the user by using the SSH key. |
| Using the |
| The remote hosts accepts the SSH key. |
If an attempted authentication method fails, then a remote SSH server falls back to other allowed authentication methods, until all the available methods are tried. The next example demonstrates a remote access with an SSH key that fails, but then the SSH server offers password authentication that succeeds.
[user@host ~]$ssh -v user@remotehost...output omitted...debug1: Next authentication method: publickeydebug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:bsB6l5R184zvxNlrcRMmYd32oBkU1LgQj09dUBZ+Z/k debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password ...output omitted...debug1: Next authentication method: passworduser@remotehost's password:passwordAuthenticated to remotehost ([172.25.250.10]:22) using "password". ...output omitted... [user@remotehost ~]$
You can create the ~/.ssh/config file to preconfigure SSH connections. Within the configuration file, you can specify connection parameters such as users, keys, and ports for specific hosts. This file eliminates the need to manually specify command parameters each time that you connect to a host. Consider the following ~/.ssh/config file, which preconfigures two host connections with different users and keys:
[user@host ~]$ cat ~/.ssh/config
host servera
HostName servera.example.com
User usera
IdentityFile ~/.ssh/id_rsa_servera
host serverb
HostName serverb.example.com
User userb
IdentityFile ~/.ssh/id_rsa_serverbReferences
ssh-keygen(1), ssh-copy-id(1), ssh-agent(1), and ssh-add(1) man pages