Public/private key authentification with ssh
< OpenSUSE small server basics (dec 2021) | Configuring a small home server in 2021 with openSUSE Leap 15.3 | Postfix configure (2021 edition) >
Create keys
Go to the client, the account you want to use. Generate a key (if none exist already). If you want to use theses keys within scripts, or don't have to type the passphrase each time, do not enter any passphrase (leave it blank), but if so do not share the private keys. Remote user can be root.
$ mkdir -p ~/.ssh If it doesn't already exist $ chmod 700 ~/.ssh $ cd ~/.ssh $ ssh-keygen -t dsa #rsa may be a bit better
This gives you a pair of keys in the .ssh folder, one id_dsa (or rsa) private (do not disclose or share), one id_dsa.pub (or rsa), public key you can share to be identified.
Copy the public key to the remote host
Best way is to use
ssh-copy-id -i /home/<user>/.ssh/id_dsa.pub <remote-user>@server-name
This will copy the public key to the remote server, creating the folders and files accordingly if necessary. You can also do this manually with scp.
Try connection from the client to the server with ssh, you should be prompted to the passphrase in place of the password (or not prompted if there is no passphrase).
Alternative way (full manual):
$ scp -p id_dsa.pub remoteuser@remotehost: Password: ********
Log into the remote host and install the public key:
$ ssh -l remoteuser remotehost Password: ******** remotehost$ mkdir -p ~/.ssh If it doesn't already exist remotehost$ chmod 700 ~/.ssh remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys (Appending) remotehost$ chmod 600 ~/.ssh/authorized_keys remotehost$ mv id_dsa.pub ~/.ssh Optional, just to be organized remotehost$ logout
Log back in via public-key authentication:
$ ssh -l remoteuser remotehost Enter passphrase for key '/home/smith/.ssh/id_dsa': ********
When you are sure it works, disable login with password
In /etc/ssh/sshd.conf,
- Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Allow getting root without password
as root, visudo, then add:
jdd ALL=(ALL:ALL) NOPASSWD: ALL
< OpenSUSE small server basics (dec 2021) | Configuring a small home server in 2021 with openSUSE Leap 15.3 | Postfix configure (2021 edition) >