Most fairly recently built cars come with the feature called "keyless entry": the car would sense the presence of the key fob in your pocket and lets you open its door without having to manually unlock that door. In this article, I'll describe how to set up keyless entry to your remote server, so you won't have to type the password every time you try to access that remote server's shell. The process also relies on keys, but these are called ssh keys.
Is it all convenience?
Sure it is convenient to not have to type passwords to every remote server you need to log in to, but there's more than just convenience, sometimes setting up keyless entry is a requirement. Most obvious example is Ansible. If you plan to use that automation technology, setting up keyless entry is a must for everything else to work. Ansible is agentless, you don't need to install an Ansible-specific agent on the client but you must enable paswordless login.
Assumptions
I will assume you need to enable passwordless login on the remote server running some UNIX-like operating system (Linux, BSD, MacOS) and that you are using a client to log in that also runs such UNIX-like OS. I will also assume both machines have SSH up and running.
I am deliberately shunning Windows, after 11 versions of it and into the third decade of the 21st century Windows users are still required to install third party software to enable communication via SSH... ?!
The actual commands:
It's really simple, providing you already have proper credentials to log in to the remote server and have tested those credentials are valid.
First, create the key to be exchanged on your own server:
ssh-keygen
You'll be asked where to put the newly created key, agree with the default location offered. If you don't like the location, now's the chance to enter your own custom location but you'll need to account for that customization later, when you try to use passwordless login.
You'll be also asked to set up a passphrase. For trusted servers, on trusted connections, you can comfortably skip setting up passphrase.
Now that the key to be exchanged is created, it is time to exchange it with the remote server:
ssh-copy-id user@some.ip.address
where you swap the "user" with the actual username under which you are logging in onto the remote server and the "some.ip.address" with the actual IP address or the FQDN of the remote server. You'll be asked to enter password for that user on the remote server, and this is the last time you'll be entering that password. Once you enter the password, providing that's the right credential for that user on the remote server, the key is received and stored at the remote server.
You'll now be asked to use SSH to log in to the remote server to verify everything works as expected:
ssh user@some.ip.address
and you are logged in, no password asked for! And for the life of that remote server, or at least the key that was exchanged with it, this will remain enabled when you ssh into your remote server.
Just a bit of background on using SSH keys for passwordless entry:
When you used ssh-keygen
, you actually created two encrypted files using the default RSA cryptosystem: one of those two files is called a public key and the other is called private key. That public key is what is being sent to the remote server. Private key is used to authenticate the public key received. The remote server will, upon receiving that public key from your machine, create its own private key based on the public key it received from you, so now logging in is automated, no need for your intervention with passwords, one machine presents its key, the other verifies the key is trusted and you are admitted in onto the remote server.
One cool thing you may want to try out, now that the passwordless login is set up, is to execute a command on the remote server and receive the feedback from that command on your own terminal. In this example, I'll keep it harmless and execute ls
on the remote server but receive the feedback from that command on my own terminal all the while I am NOT logged in to that remote server:
ssh user@some.ip.address ls
and I'll get the contents of the home directory of the remote user "user".
Permissions. Yes, it is important.
Those keys that enabled passwordless login are now priced posession, keep them out of reach of malicious users on your own LAN. Recommended permissions on the private key are 600, meaning owner has read/write permissions but no permissions are given to anyone else on that server. Public key's permissions should be a bit more relaxed, having in mind that the remote server needs to read that file- set them to 644 (read/write for the owner, read/execute for the group to which owner belongs and for everyone else). You can always access those keys and verify their permissions, they are stored in your home directory, in the hidden .ssh subdirectory, and the public key is named id_rsa.pub. Use the ls -al
command on .ssh subdirectory to verify permissions on those files.
Congrats, you just made logging into your remote server far more convenient now onto... Ansible!
Top comments (0)