Introduction
SSH, or secure shell, is a secure protocol for administering and communicating with servers. When working with a CentOS server, you will most likely spend the majority of your time in a terminal session connected to your server via SSH.
This post will focus on configuring SSH keys for a CentOS 7 installation. SSH keys are a simple and safe way to get into your server and are recommended for all users.
Step 1 : Creating the RSA Key Pair
On the client machine (usually your computer), the first step is to generate a key pair:
Ssh-keygen will generate a 2048-bit RSA key pair by default, which is secure enough for most use cases (you may optionally pass in the -b 4096 flag to create a larger 4096-bit key).
You should see the following prompt after entering the command:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
Press ENTER to save the key pair in the .ssh/ subdirectory of your home directory, or specify an alternate path.
If you previously generated an SSH key pair, you may see the following prompt:
Output:
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
If you overwrite the key on disk, you will no longer be able to authenticate with the previous key. When you click yes, be very careful because this is a destructive process that cannot be undone.
The following prompt should appear:
Output:
Enter passphrase (empty for no passphrase):
You can optionally enter a secure passcode here, which is highly recommended. A passcode adds an extra layer of protection to prevent unauthorised users from logging in.
The following prompt should appear:
Output
Your identification has been saved in /your_home/.ssh/id_rsa.
Your public key has been saved in /your_home/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_host
The key's randomart image is:
+--[RSA 2048]---+
| ..o |
| E o=. |
| o.o |
| .. |
| o o. |
| =o,+ |
| =++.. |
|. =++.. |
|o=++ |
+----------+
You now have a public and private key to use for authentication. The next step is to install the public key on your server so that you can log in using SSH-key-based authentication.
Step 2 : Copying the Public Key to CentOS Server
The quickest approach to copy your public key to the CentOS host is to utilise the ssh-copy-id software. If accessible, this method is highly recommended due to its simplicity. If you don’t have ssh-copy-id on your client machine, you can use one of the two alternative techniques described in this section (copying via password-based SSH, or manually copying the key).
Copying your Public Key Using ssh-copy-id
Many operating systems provide the ssh-copy-id function by default, so you may have it on your local machine. You must already have password-based SSH access to your server for this method to operate.
To use the programme, simply indicate the remote host to which you want to connect and the user account to which you have password SSH access. This is the account that will receive your public SSH key.
The syntax is:
You may see the following message:
Output:
It is unable to verify the authenticity of host 237.1.156.1(237.1.156.1)'.
The fingerprint of the ECDSA key is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you certain you want to keep connected (yes/no)? yes
This indicates that your local machine is not aware of the distant host. This will happen when you connect to a new host for the first time. To proceed, type yes and hit ENTER.
The utility will then search your local account for the id rsa.pub key you produced previously. When it locates the key, it will request you for the remote user’s account password:
Output:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@ 237.1.156.1's password:
Enter the password (your typing will be hidden for security reasons) and press ENTER. The tool will use the password you provided to login to the account on the remote host. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file called authorized_ keys in the remote account’s home ~/.ssh directory.
You should get the following results:
Output:
1 key(s) were added.
Now try login in with "ssh 'username@237.1.156.1" and double-check that only the key(s) you desired were added.
Your id rsa.pub key has now been uploaded to the remote account. You can proceed to Step 3.
Using SSH to Copy a Public Key
If you don’t have ssh-copy-id but have password-based SSH access to a server account, you can upload your keys using a standard SSH procedure.
You may accomplish this by reading the contents of the public SSH key on our local machine with the cat command and piping it across an SSH connection to the remote server.
On the other hand, you can ensure that the ~/.ssh directory exists and is properly permissioned under the account you’re using.
You may then pipe the contents of this directory into a file called authorized keys. Instead of overwriting the content, you’ll attach it with the >> redirect sign. This allows you to add keys without removing previously added keys.
The full command is as follows:
The following message may appear:
Output
It is unable to verify the authenticity of host '237.1.156.1 (237.1.156.1)'.
The fingerprint of the ECDSA key is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you certain you want to keep connected (yes/no)? yes
This indicates that your local computer is not aware of the distant host. This will happen when you connect to a new host for the first time. To proceed, type yes and hit ENTER.
You should then be requested to enter the remote user account password:
Output:
username@237.1.156.1's password:
After inputting your password, the content of your id rsa.pub key will be copied to the end of the remote user’s authorized_keys file. If this was successful, move on to Step 3.
Manually Copying the Public Key
If you do not have password-protected SSH access to your server, you must complete the process manually.
You will manually append the contents of your id rsa.pub file to your remote machine’s ~/.ssh/authorized keys file.
To view the contents of your id rsa.pub key, enter the following into your local computer:
You will see the content of the key, which should look like this:
output:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9
HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle
7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIc
O6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B
+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5Cn
hHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o
8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/z
kOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57
Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpIL
Vxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+
Ow9gI0x8GvaQ== demo@test
Use whatever method you have available to connect to your remote host.
When you have access to your account on the remote server, check that the ~/.ssh directory exists. If necessary, this command will create the directory; otherwise, it will do nothing:
Within this directory, you can now create or alter the authorized keys file. Using the following command, append the contents of your id rsa.pub file to the end of the authorized keys file, creating it if necessary:
Substitute the output of the cat /.ssh/id rsa.pub command on your local system for the public key string in the preceding command. It should begin with ssh-rsa. AAAA….
Finally, ensure that the following permissions are set for the ~/.ssh directory and the authorized_keys file:
This eliminates all “group” and “other” permissions for the /.ssh/ directory in a recursive manner.
It’s also crucial that the /.ssh directory belongs to the user and not root if you’re using the root account to create keys for a user account. The user in the following example is called Sammy, but you should change the command to use the correct username.
Passwordless authentication with your CentOS server is now possible.
Step 3:Authenticating to your CentOS Server Using SSH Keys
If you followed one of the procedures above correctly, you should be able to log into the remote host without the remote account’s password.
The basic procedure remains the same:
If you are connecting to this host for the first time (via the last method described above), you may see something like this:
Output:
The authenticity of host '237.1.156.1 (237.1.156.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This indicates that your local computer is not aware of the remote host. To proceed, type yes and then press ENTER.
You will be logged in immediately if you did not provide a passcode for your private key. If you provided a passcode when you created the private key, you will be prompted to enter it now. Following authentication, a new shell session with the configured account on the CentOS server should be opened for you.
If key-based authentication was successful, read on to learn how to secure your system even further by disabling password authentication.
Step 4: Disabling Password Authentication on your Server
You have successfully configured SSH-key-based authentication for your account if you were able to login using SSH without a password. However, your password-based authentication mechanism remains active, exposing your server to brute-force attacks.
Before proceeding with the instructions in this section, ensure that you have SSH-key-based authentication configured for the root account on this server, or, preferably, for a non-root account on this server with sudo capabilities. This step will disable password-based logins, so make sure you still have administrative access.
Once you’ve confirmed that your remote account has administrative privileges, use SSH keys to connect to your remote server as root or an account with sudo privileges. Then, open the configuration file for the SSH daemon:
Look for a directive called PasswordAuthentication within the file. This can be left out. If it is, hit i to input content, then delete the # in front of the PasswordAuthentication directive to uncomment the line. Set the value to no when you discover the directive. This will prevent you from using account passwords to log in using SSH:
Output:
…
PasswordAuthentication no
…
When you’re through editing, press ESC and then:wq to save your changes to the file and exit. You must restart the sshd service to apply these changes:
As a precaution, open a new terminal window and verify that the SSH service is operational before terminating current session:
You can safely terminate all current server sessions once you have confirmed your SSH service.
Your CentOS server’s SSH daemon now only responds to SSH keys. Password authentication has been successfully removed.
Conclusion
SSH-key-based authentication should now be configured on your server, allowing you to sign in without entering an account password.