Using private\/public key pairs<\/strong> instead of (or in addition to) password authentication is a convenient, fast and potentially more secure<\/strong> way to access a remote system, and it’s very simple to achieve.<\/p>\n So, let’s see how to\u00a0configure a\u00a0SSH login between a client and CentOS Linux server (the procedure is the same with other distributions, maybe with some small difference) without a password using a private key.<\/p>\n <\/p>\n First of all, let’s check if your client\u00a0already got a key pair you can use. Assuming you have a Linux client, log into your system (client) and type:<\/p>\n If you’re on a Mac, you’ll find these keys in the “.ssh” subfolder of\u00a0your home directory (~.\/ssh\/), while on Windows you should look in %USERPROFILE%\\.ssh (C:\\Documents and Settings\\your-username\\.ssh\\ or C:\\Users\\your-username\\.ssh depending on your Windows version).<\/p>\n If a file named “id_rsa.pub” or “id_dsa.pub” is listed, you already have a key. In this case, skip to step 3.<\/p>\n Log into your local system (client) and generate your private key using the command \u201c\/usr\/bin\/ssh-keygen\u201d with some parameters. Using the\u00a0“-t” flag, we demand an “RSA” type key, which is one of the newest and safest types. With the “-C” flag, we provide a comment (which you can think of as a kind of description or label for this key): using your email address lets you identify it more easily later.\u00a0After confirming this command, you’ll be asked to:<\/p>\n On Windows, you can use PuTTY Move your mouse to generate random data, then fill “Key comment”, “Key passphrase” and “Confirm passphrase” fields with the same date explained above.<\/p>\n Now\u00a0save both public and private keys in %USERPROFILE%\\.ssh\\<\/strong>, using id_rsa<\/strong> as name for private key<\/strong> and id_rsa.pub<\/strong> for public key<\/strong>. Since we’re going to use OpenSSH format for key pair, to save private key use “Conversions->Export OpenSSH key”, while for public key simply copy and paste content of the “Public key for pasting into OpenSSH authorized_keys file” box into an emply id_rsa.pub file.<\/p>\n NOTE: if you plan to use PuTTY for SSH login\u00a0to your server, you need to save private key in .ppk format, by clicking on “Save private key” button.<\/strong><\/p>\n You can also use Bitvise Tunnelier<\/a><\/strong> to generate your key pair: in that case, keys will be stored in\u00a0HKEY_CURRENT_USER\\Software\\Bitvise\\HostKeys registry key, but you can use the software to export them\u00a0as files into another location.<\/p>\n We have now a\u00a0private and public key set that, as already mentioned above, on Linux\u00a0are typically created as \/home\/your-username\/.ssh\/id_rsa (private key<\/strong>) and \/home\/your-username\/.ssh\/id_rsa.pub (public key<\/strong>), on Mac you’ll find these in the “.ssh” subfolder inside your home directory (~.\/ssh\/), and on Windows they are usually stored in %USERPROFILE%\\.ssh\\.<\/p>\n Your private key is an extremely valuable file, it\u2019s like storing your password in a file. If obtained, it could be used by someone else\u00a0to access your systems, so back it up and keep it safe.<\/p>\n If you take a look at the actual contents of your public key file, you’ll see something like this:<\/p>\n <\/p>\n To use your private key, you must share your public key with a remote server. Simply put, the remote server keeps a copy of your public key, which it uses to match against your private key when you attempt to login.<\/p>\n On Linux, there is a utility which automatically installs our public key onto a remote host: ssh-copy-id<\/strong>. Let’s say you know the password of the “admin” account on “nullalo.com” server, on which you want to share your public key. In this case we will type:<\/p>\n You can also paste the key using SSH:<\/p>\n If you want to do it manually, the concept is that <\/span>\/home\/your-username\/.ssh\/authorized_keys<\/strong> (on some systems file name is <\/span>authorized_keys2<\/strong>) file on the remote server must contain a row for each allowed\u00a0client’s public key.<\/span><\/p>\n <\/p>\n Once you have copied your SSH public key\u00a0on\u00a0your server and ensured that you can log in with the SSH keys alone, you can go ahead and restrict the root login to only be permitted via SSH keys.<\/p>\n In order to do this, open up the SSH config file:<\/p>\n Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key. If the line does not exist or is commented, simply add it:<\/p>\n Reload service to put the changes into effect:<\/p>\n <\/p>\n Assuming you\u2019ve followed the above steps, now you can access remote server simply typing:<\/p>\n with\u00a0no password entry required, except for passphrase if you used it during key pair\u00a0generation.<\/p>\n <\/p>\n On Windows, we can use\u00a0Bitvise Tunnelier<\/a><\/strong>\u00a0or PuTTY<\/a><\/strong> to access via SSH to our server.<\/p>\n With Bitvise Tunnelier<\/strong>, you need to import your private key by clicking on “Client key manager<\/strong>“, then “Import” and finally select your “id_rsa” file.<\/p>\n You will be asked for passphrase, if used during key pair creation.<\/p>\n Now you can login by selecting publickey<\/strong> as “Initial method” and choosing the right\u00a0Client key (in the example the one named “Profile 2”).<\/p>\n After clicking on “Login”, you will be asked to save the host key (only for the first connection):<\/p>\n Click on “Accept and Save”, then you’ll be asked for public key’s passphrase (this\u00a0is the password of the key pair, NOT\u00a0the password of the user logging in)\u00a0if needed.<\/p>\n If everything’s ok, you will be logged onto remote server.<\/p>\n If you wish to use\u00a0PuTTY<\/strong> as client\u00a0instead of Bitvise Tunnelier, you have to specify the location of your client’s private key (that matches the public key you stored on the server in the authorized_keys file) in Connection->SSH->Auth->Private key file for authentication.<\/p>\n NOTE: Private key must be stored in .ppk format if you want to use it with PuTTY.<\/strong><\/p>\n Now just fill in your connection details (Host Name or IP address and Port) and click “Open”:<\/p>\n After the warning about the server’s host key not being cached in the registry (you can answer “Yes”):<\/p>\n you will be asked for username (in our example, “admin”) and eventually for key pair’s passphrase, then you’ll be logged into the system.<\/p>\n That’s it! If you have any question, please don’t esitate to add a comment to this article.<\/p>","protected":false},"excerpt":{"rendered":" In case you don’t know, Secure Shell (SSH) is a UNIX-based command interface and protocol for securely getting access to a remote computer.\u00a0Default method for SSH access is password-based authentication: by knowing a remote system\u00a0user’s\u00a0username and password, you can login into the system. Using private\/public key pairs instead of (or<\/p>\n","protected":false},"author":2,"featured_media":1337,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5],"tags":[97,107,106],"class_list":["post-1333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teaser","tag-centos","tag-login","tag-ssh"],"yoast_head":"\n1. Check for existing key pairs<\/h3>\n
[fsicurezza@localhost ~]# ls ~\/.ssh<\/pre>\n
2. Generate a new key pair<\/h3>\n
\n
[fsicurezza@localhost ~]# ssh-keygen -t rsa -C "fsicurezza@nullalo.com"\r\nGenerating public\/private rsa key pair.\r\nEnter file in which to save the key (\/root\/.ssh\/id_rsa):\r\nEnter passphrase (empty for no passphrase):\r\nEnter same passphrase again:\r\nYour identification has been saved in \/root\/.ssh\/id_rsa.\r\nYour public key has been saved in \/root\/.ssh\/id_rsa.pub.\r\nThe key fingerprint is:\r\n04:53:39:ff:53:33:b7:d0:b7:7b:39:fa:32:e3:60:d9 fsicurezza@nullalo.com\r\nThe key's randomart image is:\r\n+--[ RSA 2048]----+\r\n| o... |\r\n| oo |\r\n| .o . |\r\n| . . .+.o|\r\n| S . ..++|\r\n| = o |\r\n| + E o|\r\n| . .+ +.|\r\n| .o*.o|\r\n+-----------------+<\/pre>\n
![\"puttygen_01\"](\"\/wp-content\/uploads\/2016\/03\/puttygen_01.jpg\")
<\/p>\n![\"puttygen_02\"](\"\/wp-content\/uploads\/2016\/03\/puttygen_02.jpg\")
<\/p>\n[fsicurezza@localhost ~]# cat ~\/.ssh\/id_rsa.pub\r\nssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiqxKKnDeav9gM7By0IdECGlVjWKvvSwKtOlmdYwbFYra2F\/EAVuOqL2KsTE rVE0QzONIo7c854oADlw6UQKjkCfxDrk61ph1yUVgZeI3LeZpILPNhcSndp0I0eMBehQIPYQ2ibBhr+sUt7akSRDAKh\/mLQ 8MW2Ety1n26D3EmzUyFVWYA6Ccw6LtJocb\/29\/pqt6FpRUIfFc4TNfSJ4eOjcrc2+yL\/b3H0p1ENqlenQT6lxDBbPlNRee+ UzjdDrSvmMP8f7bQVht4QzcCjrHUPa4BjUoDPkGAEDcywqIkJuNBzTYcwaPpK7QwS9lQ8lVCdtDAtRLfAkvqjMc8vLRvQ== fsicurezza@nullalo.com<\/pre>\n
3. Share your public key<\/h3>\n
[fsicurezza@localhost ~]# ssh-copy-id -i \/home\/fsicurezza\/.ssh\/id_rsa admin@nullalo.com\r\nadmin@nullalo.com's password:\r\n[fsicurezza@localhost ~]#<\/pre>\n
[fsicurezza@localhost ~]# cat ~\/.ssh\/id_rsa.pub | ssh admin@nullalo.com "mkdir -p ~\/.ssh && cat >> ~\/.ssh\/authorized_keys"<\/pre>\n
4. Additional security<\/h3>\n
sudo nano \/etc\/ssh\/sshd_config<\/pre>\n
PermitRootLogin without-password<\/pre>\n
service sshd reload<\/pre>\n
5a. Login with no Password from\u00a0Linux client<\/h3>\n
[fsicurezza@localhost ~]# ssh admin@nullalo.com\r\n\r\nLast login: Mon Mar 21 10:28:33 2016 from 192.168.0.1\r\n\r\n[admin@nullalo.com ~]#<\/pre>\n
5b. Login with no Password from Windows using Bitvise Tunnelier as\u00a0client<\/h3>\n
![\"bitvise_tunnelier_01\"](\"\/wp-content\/uploads\/2016\/03\/bitvise_tunnelier_01.jpg\")
<\/p>\n![\"bitvise_tunnelier_02\"](\"\/wp-content\/uploads\/2016\/03\/bitvise_tunnelier_02.jpg\")
<\/p>\n![\"bitvise_tunnelier_03\"](\"\/wp-content\/uploads\/2016\/03\/bitvise_tunnelier_03.jpg\")
<\/p>\n![\"bitvise_tunnelier_04\"](\"\/wp-content\/uploads\/2016\/03\/bitvise_tunnelier_04.jpg\")
<\/p>\n![\"bitvise_tunnelier_05\"](\"\/wp-content\/uploads\/2016\/03\/bitvise_tunnelier_05.jpg\")
<\/p>\n<\/h3>\n
5c. Login with no Password from Windows using PuTTY\u00a0as\u00a0client<\/h3>\n
![\"putty_01\"](\"\/wp-content\/uploads\/2016\/03\/putty_01.jpg\")
<\/p>\n![\"putty_02\"](\"\/wp-content\/uploads\/2016\/03\/putty_02.jpg\")
<\/p>\n![\"putty_03\"](\"\/wp-content\/uploads\/2016\/03\/putty_03.jpg\")
<\/p>\n![\"putty_04\"](\"\/wp-content\/uploads\/2016\/03\/putty_04.jpg\")
<\/p>\n