The post details out steps to configure passwordless ssh using RSA Public Key Authentication, in other words: passwordless login using public Key. This procedure is used to reduce the number of login prompts needed to do secure remote login with Sun Secure Shell (SSH) this including also SCP ( Secure Copy) and SFTP ( Secure File Transfer).
Configuring passwordless ssh
To configure SSH to use an id_rsa key to log in, follow these steps.
1. Generate private and public key pair on the client machine (localhost).
# ssh-keygen -t rsa
ssh-keygen will require a key type (-t). From the man page of ssh-keygen :
-t type Specifies the algorithm used for the key, where type is one of rsa, dsa, and rsa1.
2. This will create two new files ( Public and Private RSA keys ) under the $HOME/.ssh/* of the user who fired the command.
id_rsa ( Private Key) id_rsa.pub ( Public Key)
3. After generating the RSA key we need to Copy the public key (id_rsa.pub) and append the key to the $HOME/.ssh/authorized_keys file in user home directory on the remote host. For example root transfer the file to the remote user using ssh or scp:
# cat ~/.ssh/id_rsa.pub | ssh remotehost 'cat >>~/.ssh/authorized_keys && echo "Host Key Copied"'
-or-
# scp $HOME/.ssh/id_rsa.pub remotehost:$HOME/.ssh/id_rsa.pub.copy
4. Verify if everything works as needed by logging into the remote system without a password. You can also view the public RSA key into the authorized_keys file of the remote host.
# ssh remotehost # cd $HOME/.ssh # cat authorized_keys
Troubleshooting
If you have followed the steps given above and still you are prompted for a password, follow the steps (checklist) given below to troubleshoot the issue.
1. The key must appear in the authorized_keys file as a single unbroken line when viewed in vi command mode utilizing “set list”. Carriage returns will appear as “$” characters in “set list” mode of vi when viewing the key string. You can edit the line containing the key if it is not in the correct format.
2. If you get the password prompt instead, check that the permission of /export/home (assuming the home directory is /export/home/[userid]) is 755 with world readable. This permission setting is necessary because before reading the $HOME/.ssh/authorized_keys file, the sshd remote host must seteuid to the login id. To do this, the /export/home needs to be world readable.
3. The file $HOME/.ssh/authorized_keys is world-writeable, as shown here for the user “user01”:
$ pwd /export/home/user01/.ssh $ ls -la total 14 drwxrwxrwx 2 user01 staff 512 Jun 11 15:41 . drwxrwxrwx 4 user01 staff 512 Jun 11 15:14 .. -rwxrwxrwx 1 user01 other 223 Jun 11 14:06 authorized_keys -rw-r--r-- 1 user01 user01 24 Jun 11 15:14 config -rw------- 1 user01 other 951 Jun 11 15:35 id_rsa -rw-r--r-- 1 user01 other 228 Jun 11 15:35 id_rsa.pub -rw-r--r-- 1 user01 other 231 Jun 11 15:47 known_hosts
To over-ride this behaviour, edit the /etc/ssh/sshd_config file “StrictModes” entry from “yes” (default) to “no“:
# grep StrictModes /etc/ssh/sshd_config StrictModes yes
Restart the sshd service after this.
For Solaris 9
# /etc/init.d/ssh stop # /etc/init.d/ssh start
For Solaris 10
# svcadm refresh ssh
4. You may need to check the file /etc/ssh/sshd_config if any of the default settings (YES) have been changed to “NO” for the below parameters.
- PubkeyAuthentication - RSAAuthentication
5. The final step is to debug the ssh session. This will help follow the connection stream and show where if fails. Look for the string : “Next authentication method: publickey“.
# ssh -v -v -v user@hostname