Configuring SSH key-based authentication

In many situations (like when using scripts to access different systems) a user needs to be able to remotely authenticate without specifying the password.

Luckily, it is very easy to do this, using ssh-keygen.

In this example I will be using 2 RHEL 7 systems, server1 and server2 and will configure the ssh key based authentication.

Key generation is done using ssh-keygen. This will generate the private and public keys. ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

Permissions must be 600 on the private key and 644 on the public key.

To generate the keys run:

[root@server1 ~]# ssh-keygen  
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f1:37:5d:d8:91:d4:33:f2:da:3d:aa:4b:fd:f5:df:d0 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
|              .oo|
|             . *o|
|        .     + =|
|         o   . o |
|        S . o + .|
|           ..o +.|
|           . .o E|
|          .  ...+|
|           oo  .=|
+-----------------+


And on server2:

[root@server2 ~]# ssh-keygen  
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
4a:85:79:d3:95:22:84:23:a2:2b:b5:e3:dc:29:ae:94 root@server2
The key's randomart image is:
+--[ RSA 2048]----+
|       o.   ..   |
|  . . oo.....    |
| . . .o.+...     |
|. .    o .       |
| o .  . S        |
|o +  . .         |
|.E o ..          |
|. + o            |
|.o..             |
+-----------------+


Now copy the key to the system that needs to login remotely, or from each as in this example:

[root@server1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@server2
The authenticity of host 'server2 (192.168.221.185)' can't be established.
ECDSA key fingerprint is 33:bb:1f:3d:85:5b:1f:1e:7d:c8:5a:1f:6a:44:55:49.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new key
s
root@server2's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@server2'"
and check to make sure that only the key(s) you wanted were added.

[root@server1 ~]# ssh root@server2
Last login: Sat Oct 10 20:15:18 2015 from 192.168.221.1
[root@server2 ~]# 



And on server2:

[root@server2 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@server1
The authenticity of host 'server1 (192.168.221.184)' can't be established.
ECDSA key fingerprint is 0e:7d:a1:03:c4:bc:c7:71:36:dd:a4:5b:b3:09:4f:e0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new key
s
root@server1's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@server1'"
and check to make sure that only the key(s) you wanted were added.

[root@server2 ~]# ssh root@server1
Last login: Sun Oct 11 01:14:55 2015 from 192.168.221.1
[root@server1 ~]# 



That's it, now I can ssh into the remote server using a public key and run commands:

[root@server2 ~]# ssh root@server1 ls
anaconda-ks.cfg
[root@server2 ~]#