In an automated world of IT, password based authentications are not a good choice and it will restrict so many abilities. For SSH access, you can easily configure SSH Key based authentication, which is easy to setup and very useful for quick server access. Also this method is secure than password based access since the authentication happens using private and public key pair values.
Warning : Make sure you keep all your private keys in a secure place.
Let us learn this setup in simple 1-2-3 steps.
You can either create a dedicated user for remote access or use any existing user for remote access. For this demo, we will create a new user
devops on remote node –
[[email protected] ~]$ sudo useradd devops
This step is optional as we don’t need to enable
sudo or password-less sudo access for the user. But some cases like Ansible automation, it is recommended to enable password-less sudo access to make privilege escalation works better.
sudo access for our new user
[[email protected] ~]$ sudo cat /etc/sudoers.d/devops devops ALL=(ALL) NOPASSWD: ALL
PasswordAuthenticationFor First Time Access
For the first time setup, I am enabling the
/etc/ssh/sshd_config file. Please note, this one you have to do on the node you want to manage.
And restart sshd service
$ sudo systemctl restart sshd
On your working host (like ansible controlnode or your jumphost server or your workstation), create the ssh key pair. (Since we want to implement access without any interaction, we will create key pair without a passphrase)
You can execute
ssh-keygen or specify the key type and length; eg:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
[[email protected] ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/devops/.ssh/id_rsa): Created directory '/home/devops/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/devops/.ssh/id_rsa. Your public key has been saved in /home/devops/.ssh/id_rsa.pub. The key fingerprint is: SHA256:mmSZGlQS9uN1NslXAOLiF70xHRWnfwtL2Asx3nHskYU [email protected] The key's randomart image is: +---[RSA 2048]----+ | +.. . ..oo+oo| | . + . + o oEoo| | . + + Xoo..= | | . o * +.** +..| | . B S .+ = .o| | = + o + o| | . o o . | | | | | +----[SHA256]-----+
Check the generated private key and public key files.
[[email protected] ansible]$ cd ~/.ssh/ [[email protected] .ssh]$ ls -lrta total 12 -rw-r--r--. 1 admin admin 400 Jun 11 06:46 id_rsa.pub -rw-------. 1 admin admin 1675 Jun 11 06:46 id_rsa drwx------. 4 admin admin 110 Jun 11 06:46 .. -rw-r--r--. 1 admin admin 186 Jun 11 06:55 known_hosts drwx------. 2 admin admin 57 Jun 11 06:56
Make sure your permission for files are as show above;
600 for private keys.
Now you need to add public key of master/workstation key pair to your nodes – which you want to manage or access from your workstation. There are 2 ways to achieve this.
You need to add keys to this remote node using
ssh-copy-id command (from workstation as shown below). We need to enable
PasswordAuthentication for this, as we need to login with password one time. (And you can disable
PasswordAuthentication after this step. Refer Step 1.3: Enable PasswordAuthentication For First Time Access.)
[[email protected] ansible]$ ssh-copy-id -i ~/.ssh/id_rsa [email protected] /bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/devops/.ssh/id_rsa.pub" /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Permission denied, please try again. [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added
We can copy these public key to
~/.ssh/authorized_keys on the remote node manually (but the correct way is to use ssh-copy-id command.)
Now we will login to the remote node
devops user as shown below.
[[email protected] ansible]$ ssh [email protected] Last login: Mon Jun 11 10:02:23 2018 [[email protected] ~]$
You can see,
ansible-node1 didn’t ask me for any password since
devops user has been already authenticated using the ssh key pair.
If you have multiple keys for multiple projects or server groups, you can mention which ssh keys has to use for connection.
[[email protected] ansible]$ ssh [email protected] -i ~/.ssh/id_rsa Last login: Mon Jun 11 10:05:07 2018 from ansible-box.c.devops-angel.internal
Again, please make sure your private key files are stored in safe and secure place with restricted access.
Read more about ssh keys : SSH Key and Configurations