Tuesday, 9 September 2014

Remote Server Access Without Passwords

How to remotely access a server with ssh without a password and simultaneously limit ssh connections to individual machines.

If you're running your own server for example to host a web server it's essential to be able to log in to the shell remotely to carry out setup or administration tasks. This is usually done by using a 'ssh' connection from your local machine using a username and password which is not the most secure method. Sending passwords over the internet is bad, you may forget the password and if someone in your team leaves you may have to spend time resetting all kinds of passwords.

Instead of using passwords we will use authentication keys. A private key will reside on our local machine and a sibling public key will be added to the list of possible authenticated logins.

The following steps will set up remote server access without passwords from a Mac to a Linux (CentOS) machine.

On your local machine:
Open /Applications/Utilities/Terminal
Run the following command:

ssh-keygen -t rsa -C "machine-name"

Output:
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/mattmapleston/.ssh/id_rsa): 

At this point press enter to use the default path shown in brackets.
Enter passphrase (empty for no passphrase):
Enter same passphrase again: 
For added security add a passphrase for your keys. You will not see any characters or asterisks as you type.
Your identification has been saved in /Users/name/.ssh/id_rsa.
Your public key has been saved in /Users/name/.ssh/id_rsa.pub.
The key fingerprint is:
**:**:**:**:**:**:**:**:**:**:**:**:**:d5:30:c7 machine-name
The key's randomart image is:
+--[ RSA 2048]----+
|  r        =     |
|           g.=   |
|           @l.   | 
|          $ ..   |
|   fE   .S. o  |
|       + 4=. o . |
|        *.o..    |
|  o.o     .     |
|  ew   .;      |
+---------------+

As mentioned in the output, we should now have two files. The private key (id_rsa) and the public key (id_rsa.pub). You can view both using the cat command, run the following command to view the public key and copy it to your clipboard everything from ssh-rsa to machine-name).
cd /Users/name/.ssh
cat id_rsa.pub

ssh-rsa AjGAwzoWZh4kTMuva4BzKIBoYqiq+iwpuaZ3xzIW/21s2hpMkoX72cKAAB3NzaC1yc2EAAAADAQABABAQDG+FcBlWnoO9+7BMKHyq6cdHZLSI17BO8k7M3P73cNjiGNATINFOUb/YydCZtcsCvtH0hn5Mh2BhYAFBJi8GSYiHHZE2Szvob12mPJaH5if0VgAAxEo9tPsrRK+rutiDSrG2+gEtduT94RslE6BMxmZhXUCoocPySuSYIR7yBtYbTi1dKcI8l9+ZtEJkWz1MA1ZHs5RwLu17jp6QyBG8jHwclFiOWe4gkLw8S7QG7UaIeB+jKXYplaTW5AxVegYOrnJWqjkpoSYeXi63oGk33hDjte2IJVfIYl machine-name

The next step is to add your new private key to your local machine's set of identities
ssh-add ~/.ssh/id_rsa

Now we need to give our public key to our server. To do this we need to ssh remote connect using our password although this may be the last time! Once connected, we add the public key (which should still be on our clipboard) to ~/.ssh/authorized_keys. Add the key on one line at the bottom and save it.

Finally we need to restart the server's ssh program, which on CentOS is done with the following command and output:
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

That's all. When we ssh into our server in future, it will identify our machine using these authentication keys - no password required!