Or otherwise said
How to set up a public-private authentication between your client and a remote server and log-in without any password.
It does not really matter if you are executing them with Python or Bash or using Ansible; it is what it is, the fundamental step to understand how systems can securely communicate together.
Password are amazing things, and at the same time terrible things if you get them wrong, asymmetric keys instead are a bit better in terms of usage in a system-to-system scenario, painful at the same level if you get them wrong or loose them.
What to take in consideration before you start
When you create an asymmetric pair of keys, you will finish up having a private and a public key, both should be by default in your home directory under .ssh/
If you want you can provide a different path, but be careful, while the public key is made to be copied/pasted around servers and systems inside the authorized_keys file, the private key has to remain protected and stored securely, installing it only in systems you are going to use and protected with permission 600 to avoid other users malicious eyes to read it.
Let’s move into the how to do it:
- From your home directory give the command ‘ssh-keygen’ like showed below.
- Do not change the default path, just press Enter
- Do not enter a passphrase, just press Enter twice
If you see something like the console above then the process is completed and you will be able to find your keys in ~/.ssh/
id_rsa being the Private Key
id_rsa.pub being the Public key
Now, make sure you can connect to the remote server using the ssh client and your password, and let’s make sure you accepted the host as trusted:
Ok, after this we know we are able to log-in and to work on the configuration of the remote server.
Let’s do it then, let’s bring the Pubic key in the remote server…
There is a fancy way of doing it, but we will do it the not that fancy way just to understand how this system works and we are going to do everything from the same console on the local client in order to avoid confusion.
First let’s check if the authorized_keys file exists, this file is storing Public Keys for all the users authorized to authenticate and we do not want to delete it, so:
If it does exists like in this case, it may contain someone’s else key, and because of that we will need to be careful; this means to APPEND our public key at the bottom of the file, rather than overwriting the entire file.
If the result from the previous command is nothing then we will have to create our file with the correct permissions, please follow from HERE
Once the key is there we can, from our local computer, push the content of the file we just copied into the authorized_keys file, but let’s back-up the file first and verify it has executed correctly
Cool, this means we have a backup, let’s go ahead and inject the Public Key into the authorized_keys file:
It looks like everything worked out as expected, now we should be able to log-in into our remote server without password request.
Let’s try a command we already issued:
All done, we do have now a local system able to authenticate without password, but with asymmetric keys.
Way more handy in terms of automation!
<p>
If the file authorized_keys does not exist in your system there are a couple more step before we go ahead.<br />When configuring asymmetric authentication it is really important the way we set the permissions on each file and 600 is the number you want to remember.
</p>
<p>
Let’s create the remote file and assign the correct permission then:
</p>
This should do the trick, a file with permission 600 (read and write only for the owner of the file) to store the keys for the remoteuser authentication.
Let’s verify all is gone as we expect:
Perfect, we are now ready to go back and inject our Public Key into the newly created file,let’s take it from HERE