How To Setup SSH Passwordless Login in AlmaLinux

Secure Shell, popularly known as SSH, is a secure network protocol that allows users to securely connect to remote hosts such as servers. It is based on a client-server architecture and uses two main authentication methods – password and ssh-key pair authentication.

The SSH-key pair authentication employs the use of SSH keys which are cryptographic keys used to authenticate and secure communication between the client and the server. SSH-key pair authentication is preferred over password authentication as it provides safer authentication which is not susceptible to brute-force attacks.

In this tutorial, we illustrate how you can set up SSH keys on AlmaLinux.

Creating RSA SSH Key Pair in AlmaLinux

To start the show, we will create an RSA key pair which comprises a public and private key. We will demystify these keys later on in the guide. To create the key pair, run the command:

$ ssh-keygen
OR
$ ssh-keygen -t rsa 

The above commands create a 2048-bit RSA key pair which is considered good enough to offer decent encryption to secure communication. However, you can create a 4096-bit key pair that is more robust and offers better encryption.

To do this, simply pass the -b flag. This is exactly what we are going to do.

$ ssh-keygen -b 4096

Right after you press ENTER, you will be asked to provide the path in which the keys will be stored. By default, this is the ~/.ssh directory. Unless required to change it to a different path, just go with the default directory by pressing ENTER.

Create SSH Key Pair in AlmaLinux
Create SSH Key Pair in AlmaLinux

Thereafter, you will be required to provide a passphrase or a password. While optional, this adds an extra layer of protection when authenticating.

However, this is limiting when you want to configure passwordless ssh-key authentication to a remote host. If this is your goal, then simply press ‘ENTER’ to skip providing the keyphrase.

Create Passphrase in AlmaLinux
Create Passphrase in AlmaLinux

Here is the entire output of the command.

SSH Key Pair Summary
SSH Key Pair Summary

At this point, your keys should be stored in the ~/.ssh directory which is a hidden directory in your home directory. Just to confirm this, run the command:

$ ls -la ~/.ssh
Confirm SSH Directory
Confirm SSH Directory

A few points to note:

  • The id_rsa is the private key. As the name suggests this should be kept extremely confidential and should never be divulged or shared. An attacker can easily compromise your remote host once they get a hold of the private key.
  • The id_rsa.pub is the public key, which can be shared without any problem. You can save it to any remote host that you want to connect to.

Copy SSH Public Key to Remote Linux Server

The next step is to copy or transfer the public key to the remote server or host. You can do this manually, but the ssh-copy-id command easily allows you to do this.

The ssh-copy-id command takes the following syntax:

$ ssh-copy-id [email protected]

In our setup, we have a remote host with IP 172.105.135.246 and a configured remote user called jack.

To copy the public SSH key, we will run the command:

$ ssh-copy-id [email protected]

If this is the first time connecting to the host, you will get the output shown below. To proceed with the authentication, type ‘yes’ and hit ENTER to proceed.

Once you provide the password and press ‘ENTER‘ the public key is placed in the authorized_file file in the ~/.ssh directory on the remote host.

Copy SSH Key to Remote Linux Host
Copy SSH Key to Remote Linux Host

On your local system, the known_hosts file is created in the ~/.ssh directory. The file contains the SSH fingerprints for remote hosts that you have connected to.

$ ls -la ~/.ssh
Confirm SSH Host File
Confirm SSH Host File

You can view it as follows.

$ cat ~/.ssh/known_hosts
View SSH Host File
View SSH Host File

SSH Passwordless Login to Remote Linux

With the public key now saved on the remote host, we can now login to the remote host without SSH password authentication. To test this, we will try logging in normally to the remote host.

$ ssh [email protected]
SSH Passswordless Linux Login
SSH Passwordless Linux Login

From the output, you can see that we straight away dropped to the remote system’s shell. This confirms that we have successfully configured SSH Passwordless authentication.

Now confirm that the public key is saved in the authorized_keys file on the remote host.

$ ls -la ~/.ssh/
Check SSH Authorized Keys
Check SSH Authorized Keys

To view the file, use the cat command as follows.

$ cat ~/.ssh/authorized_keys 
View SSH Authorized Keys
View SSH Authorized Keys

Disable SSH Password Authentication

We are not yet done, the password authentication is still enabled and this can potentially subject the remote server or host to brute-force attacks.

To eliminate this attack vector, it is highly advised to disable password authentication. This ensures that login is only possible through an SSH key pair. To achieve this, open the sshd_config file which is the main SSH configuration file.

$ sudo vim /etc/ssh/sshd_config

Locate the PasswordAuthentication directive. If commented out, uncomment it and set it to ‘no’.

PasswordAuthentication no

Save the changes and exit the file.

Then restart SSH to apply the change made.

$ sudo systemctl restart sshd

This successfully disables password authentication and only users with the private SSH key can log in.

At this point, SSH password authentication has been disabled on the remote server and the only possible way of accessing the remote server is through public-key authentication.

We have managed to set up SSH keys on Almalinux and even went ahead to configure passwordless SSH authentication using SSH-key pair. We further disabled password authentication to avert brute-force attacks.

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.