Streamlined: Two-Step Passwordless SSH Setup on Ubuntu

A Quick Guide to Establishing Passwordless SSH Authentication

Step 1: Generating a Public/Private Keypair on Your Ubuntu Desktop

The first step is to generate the public/private key pair on your Ubuntu desktop. To do this, enter the command on your Ubuntu desktop (not on your server):

ssh-keygen -t rsa -b 4096

The command is responsible for creating the default RSE type keypair

-t refers to “type”.

-b refers to bits. The standard length of a key is 3072 bits. You may optionally increase it to achieve a higher level of security.

You can press Enter to accept the default location (~/.ssh/id_rsa) and leave the passphrase empty for convenience or add one for extra security.

After everything is generated, you’ll something like:
Your identification has been saved in /home/your_username/.ssh/id_rsa.

Your public key has been saved in /home/your_username/.ssh/id_rsa.pub.

Step 2: Uploading Your Public Key to a Remote Linux Server

Now that all you need has been generated, you can upload it to your server. It doesn’t have to be an Ubuntu server, it can run any Linux distribution as long as the OpenSSH server is run on it.

First, enter the following command to copy the public server on the remote desktop. “your_username” and “remote_server_ip” are to be replaced with the appropriate username and IP address.

ssh-copy-id your_username@remote_server_ip

Next, you’ll be asked to enter the password of the remote server if you set a passphrase in the previous step.

As soon as the key is copied, you’ll see a similar output:

Number of keys added: 1

From now on you’ve established a passwordless login into your server.

Disabling Password-Based Authentication

After the configuration of the passwordless authentication, you may go further and disable the password-based authentication, leaving only the one based on the SSH key in order to increase your security even further, making your server bruteforce-safe. To do it:

• Access your server:
  ssh your_username@remote_server_ip
• Open the /etc/ssh/sshd_config file on the server with your preferred text editor (e. g. Nano or Vim)
• Find the following line and change its value to no:
  PasswordAuthentication no
• Find the ChallengeResponseAuthentication line and make sure it’s status is no as well
  ChallengeResponseAuthentication no
• Save and exit the text editor.
• Restart the SSH service to apply the changes:
  Debian/Ubuntu:
  sudo systemctl restart ssh
  RHEL/CentOS:
  sudo systemctl restart sshd

Now the password authentication must be fully disabled, and access attempts without authentication keys will not work out with outputs like Permission denied (publickey) or Read: Connection reset by peer.

Keep in mind that both PasswordAuthentication and ChallengeResponseAuthentication must be set to “no”, otherwise password authentication will be still available.

Safeguarding Your Public/Private Keypair with Backups.

After completing the configuration of the public/private key pair, the next step is to create backups for them. Since keys are now necessary to log in into your server, losing them may result in you losing access to your server. For this reason, what you should to is to create backups for your public/private keypair on a safe location that you can easily access (like a USB drive etc.) Let’s see step-by-step how to create a backup of your public/private key pair.

• Find the location of your keys. Usually, it should be something like ~/.ssh directory.
• Copy Your Key Pair: Copy the pair of keys to the desired safe location with the cp command
  cp ~/.ssh/id_rsa ~/.ssh/id_rsa_backup

cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub_backup

id_rsa and id_rsa.pub should be replaced with the actual names of your key files if those differ.

• Now that your public/private key pair has been copied, you should store it in a safe location.

Also, if the location you’ve chosen is another computing device, you have to change the user of the keys on this another device:

sudo chown new-user:new-user ~/.ssh/id_rsa*

With this, it will be possible to access your server from another device as well.

Restoring your key pair

If you eventually need to restore your key pair from the backup you’ve done according to the instructions above, you can follow these steps:

• Copy the Backup Files: Copy the files you’ve of the key pair you’ve backed up to your ~/.ssh directory:
  cp ~/.ssh/id_rsa_backup ~/.ssh/id_rsa

cp ~/.ssh/id_rsa.pub_backup ~/.ssh/id_rsa.pub

• Set Appropriate Permissions: Ensure that the permissions on these files are secure:

chmod 600 ~/.ssh/id_rsa

chmod 644 ~/.ssh/id_rsa.pub

• Test the Key Pair: Now to test if everything works, test the key pair by SSH-ing your server

ssh your_username@remote_server

If your server is protected with a passphrase you'll be prompted to enter it.

Enhancing Security by Storing Key Passphrases in SSH Agent

While using a command-line-only Linux box, you’ll have to enter the passphrase every time you access a different Linux device through SSH. To fix this, you’ll have to store the key passphrase into the SSH agent. To do it:

• Install keychain:

sudo apt install keychain

• Make changes to the .bash_profile or .profile file to automate the execution of the commands:

/usr/bin/keychain $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

When logging in again, you’ll an output similar to this one:

Last login: Sun Aug 12 15:20:07 2020 from 203.45.67.89

• ​keychain 2.7.1 ~ http://www.funtoo.org
• Found existing ssh-agent: 17892
• Adding 1 ssh key(s): /home/johndoe/.ssh/id_rsa

Enter passphrase for /home/johndoe/.ssh/id_rsa:

• ssh-add: Identities added: /home/johndoe/.ssh/id_rsa

Now that the keychain is configured and and the key pair is saved, you won’t need to enter the passphrase each time when SSH-ing your server.

Modifying Your Private Key Passphrase

If you will eventually want to change your private key passphrase, you can use the following command:

ssh-keygen -f ~/.ssh/id_rsa -p