Public key authentication can be used to connect to an OpenSSH server without having to provide your password.
Enter the users hidden .ssh directory.
In this example, ssh-keygen is used to create the public certificate and private key. The public certificate is named id_rsa.pub and the private key is id_rsa.
ssh-keygen -t rsa
On a Linux CentOS machine, ensure JohnDoe is a member of the wheel group.
usermod -aG wheel JohnDoe
On the Linux OpenSSH server, configure your /etc/ssh/sshd_config file to have the following settings. You can chose any filename and directory for the authorized keys file.
PermitRootLogin without-password PubkeyAuthentication yes AuthorizedKeysFile /etc/ssh/authorized_keys GSSAPIAuthentication no
Create the authorized_keys file.
Update the permissions, owner, and group of the authorized_keys file.
chmod 640 /etc/ssh/authorized_keys chown root /etc/ssh/authorized_keys chgrp wheel /etc/ssh/authorized_keys
Restore the SELinux context of the files in the /etc/ssh directory.
restorecon -FRvv /etc/ssh
Ensure the authorized_keys file has the following SELinux context.
ls -Z /etc/ssh -rw-r-----. root wheel system_u:object_r:etc_t:s0 authorized_keys
Copy the content of id_rsa.pub on the "client" machine and paste the content into the authorized keys file on the OpenSSH server machine. In this example, the authorized_keys file would have the following (without the line breaks). The ssh-copy-id command can be used.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/ rYuq4eqZAVzTYxJxnTuCTLnrr5hvVMYstcEnwFB+uXZut8UoCtOlrqA7gyy0EjdRh1qay1YXIbB QZxpHDmAy9D3aSDoa5sVwrC1GQzNN4nH58pGnoGF+Df/A76LlZeBfmO1hP/a7hLIf8L+2o4LfKM NBvqf37tlYDOKUA+mU+XSCmBbMk3/4UgYxuQ3HdE8w5RhFZf9Mbvb5GqubCy7N8zp6v/hRRfT0j pWqR8kr2qauQttd9+q1n5pKCCjUO+/+jeLDdhtJ7Pls8O7motxJoNsqxKof1lJKvtt44VxYpdoY K6w== JohnDoe@client
The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.
If your system is using systemd, use the systemctl command to restart sshd.
systemctl restart sshd systemctl status sshd
service sshd restart service sshd status
Now the OpenSSH server has a way to authenticate the client. When the client requests the connection using the private key, the OpenSSH server has the corresponding public certificate.
Make the SSH connection without a password
If connecting using the ssh command, use the -i option followed by the path to the private key.
ssh -i /home/JohnDoe/.ssh/id_rsa root@OpenSSH
If using PuTTY, add the private key to PuTTY.
For absolute assurance that only a public private key pair are being used for authentication, and that password and GSSAPI authentication have been disabled, view the PuTTY log file.
Connect to the OpenSSH server, and then open the log file. In the log, the first outgoing packet from the client to the server is ....root....ssh-connection....none, and the incoming packet from the server to the client is ....publickey.....
Because no public key was provided, the SSH server failed to authenticate the request. This is normal, and not suggestive of some problem. By default, PuTTY makes the first authentication attempt with no public key. Notice publickey and ssh-rsa in the last attempt.