This guide will hopefully help you setup passwordless authentication using public-key encryption to access your CentOS server, possibly works on other distros too but I haven’t tested them as I don’t use them on a regular basis.
I wanted to create this guide to point out some of the issues I ran into when doing this task on my own servers, for documentation incase I ever need to do it again, and to help out anyone else who stumbles across my posts!
Why use passwordless public-key authentication?
There are multiple reasons you should choose this method, but the main reason is that password authentication can be cracked or guessed, and when using a highly complicated password you are likely to write it down somewhere making it unsecure still.
Public-key authentication makes it almost impossible for anyone to brute force into your servers as it requires matching key pairs, making it a great and quick way to access your server securely. Also you can share your public key on services such as GitHub, allowing other users to give you quick access to one of their services via your own key.
Step 1 – RSA Key Pair
My guide is going to assume you already have a key pair as they’re easy to create, I may post a guide on that soon, but I don’t feel like it’s needed for now.
Make sure your private key is stored in a location where you will never lose it, such as a secure online storage. Your public key can be stored on GitHub as I wrote above, it can then be accessed via ‘GitHub.com/USERNAME.keys’.
Step 2 – Copy Your Public Key
To access your server, it needs to know your public key.
In the home folder of the user you will be accessing SSH through, you need a folder called ‘.ssh’ in which a key file will be stored, in my examples the username will be ‘Bob’.
Now create the key file using your editor of choice, by default it should be called ‘authorized_keys’.
Also copy your public key into the file, make sure it’s all there, it should start with “ssh-rsa AA…”
Step 3 – StrictMode Issues
By default, StrictMode is enabled on your SSH config file, and so it should be! It specifies whether SSH checks permissions on your home directory to ensure they are secure and aren’t world-writable.
Unfortunately, it can cause some issues which we will try to fix now.
Firstly, lets set the correct permissions on your key file and .ssh folder. For StrictMode to work, the key file MUST have permissions 600 (rw——-) and the .ssh folder permissions 700 (rwx——).
chmod 600 /home/bob/.ssh/authorized_keys chmod 700 /home/bob/.ssh
Also for StrictMode to work, it’s important that your user owns their own home directory. Use the command below to change the ownership of all folders and files in the user’s directory.
chown -R bob:bob /home/bob/
For those that don’t know, you can check the permissions and ownership using the following command:
Now the part where I ran into some issues. You need your main home directory to be owned by ‘root’ and to have permissions 755 (rwxr-xr-x).
chown root:root /home chmod 755 /home
You also need the user’s home folder to be set to permissions 755 (rwxr-xr-x).
chmod 755 /home/bob
Step 4 – SSHD Configuration
Now we can configure the SSH daemon to allow RSA and Public-key authentication, so open up your sshd_config file.
Find the following lines and uncomment them.
#RSAAuthentication yes #PubkeyAuthentication yes
Now save and quit that file, and restart your SSH service.
service sshd restart
Step 5 – Testing
At this point, you should test that you have successfully enabled public-key authentication.
Try to connect to your server using your private key, if it works, proceed onto the next step!
If it didn’t work, check back up the other steps of course, make sure you did everything correctly. If you still can’t get it working, feel free to ask in the comments section and I will try my best to help you out, or hopefully other readers may give you assistance.
Step 6 – Disable Passwords
Now you have Key authentication working, you can disable passwords on your server. This is probably the simplest step.
Open your SSHD configuration again.
Find a line that says the following, and change it to the obvious ‘yes’.
(Optional) You may also want to disable GSSAPI authentication on your server if it isn’t being used, this will speed up your SSH login as your client and server won’t do checks to see if it’s an available method. To disable it, simply find the following line in the config and change it to ‘no’.
Then restart the daemon again.
service sshd restart
You now should have enabled passwordless public-key authentication on your server, meaning it is now somewhat more secure. I hope my guide helped you out.
Please leave me a comment in the section below if you liked my guide, if you didn’t like it, please do tell me why!