Passwordless root SSH on CentOS 6 with public key
Solution 1
First of all, you should not be shelling into your remote server as root! even with key authentication. The safer thing to do is to create another, normal user and add them to sudoers (use the visudo
command for this). Then disable login as root using sudo passwd -l root
Then you need to edit your /etc/ssh/sshd_config
file to enable pubkey authentication. Find the line that says PasswordAuthentication
and set this to no
(if you want to disable password challenges for all users)
Make sure that RSAAuthentication
and PubkeyAuthentication
are set to yes.
Also, disable root login by setting PermitRootLogin no
If in case PermitRootLogin doesn't works as you require try this alternative by adding
DenyUsers root
Solution 2
Connect with ssh -v user@host
and you will have more information. Usually the .ssh folder and authorized_keys permissions cause trouble in these settings.
I use ssh-copy-id to authorize keys in remote hosts.
Related videos on Youtube
![Martin](https://i.stack.imgur.com/DIpEe.jpg?s=256&g=1)
Martin
Updated on September 18, 2022Comments
-
Martin almost 2 years
I am trying to create a "passwordless" setup so that the remote server is more secure without password + I can automate the login process.
I have created a new ssh key with ssh-keygen, and copied the public file to the remote server in ./ssh/authorized_keys, however I still get prompted to enter the password.
The server is running on CentOS 6.8
Here my steps
On my local machine (OS X)
ssh-keygen (and left empty passphrase)
pbcopy < ~/.ssh/remote_server.pub (on Mac, this copies the content of the public file)
On the remote server (CentOS 6.8)
$ cd /root/.ssh
$ touch authorized_keys
$ nano authorized_keys (then pasted in the content of the public key and saved the file)
$ chmod 600 authorized_keys
$ service sshd restart
Then when I try to access via SSH service (i.e. ssh remove-server.com) I still get the normal password prompt.
Is there an issue with the file ownership/permissions?
Update
this is the content of the remote's /etc/ssh/sshd_config file
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
Output of ssh -v
... debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/m/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Offering RSA public key: /Users/m/.ssh/centos_server debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /Users/m/.ssh/id_dsa debug1: Trying private key: /Users/m/.ssh/id_ecdsa debug1: Trying private key: /Users/m/.ssh/id_ed25519 debug1: Next authentication method: password
Also, have set permissions to also fix a bug with SELinux
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys restorecon -R -v /root/.ssh
-
obsolesced almost 8 yearsI think
restorecon
should be run on~/.ssh
instead of/root/.ssh
-
Evgeniy Baranov over 7 yearsThank you very much! Even with disabled Selinux I had to execute 'restorecon -R -v /home/username/.ssh' command to make key authentication work.
-
-
Martin about 8 yearsI have made the changes to /etc/ssh/sshd_config but now I am locked out and getting an error "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."
-
Martin about 8 yearsI've updated my original post with the output of the sshd_config fle. Should I also enable the line regarding /etc/ssh/ssh_known_hosts I wonder if there is an issue with the .ssh/authorized_keys not being able to be read
-
FaCE about 8 yearstry making this a full path
AuthorizedKeysFile .ssh/authorized_keys
-- does that work? -
Martin about 8 yearsI've set the permissions as follows chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys also did $ restorecon -R -v /root/.ssh as it's a knows issue with SElinux and CentOS the last few lines of ssh -v output: Offering RSA public key: /Users/m/.ssh/centos_server Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Trying private key: /Users/m/.ssh/id_dsa Trying private key: /Users/m/.ssh/id_ecdsa Trying private key: /Users/m/.ssh/id_ed25519 Next authentication method: password Maybe it's issue with the server not reading the authorized_keys?
-
Martin about 8 yearsstill no luck, I have set it to AuthorizedKeysFile /root/.ssh/authorized_keys permissions set again as described in the OP
-
FaCE about 8 yearsSilly question - are you restarting the SSH service every time?
-
Martin about 8 yearsyes, I'm restarting it with $ service sshd restart
-
Rafa Saez about 8 yearsMaybe you have your key stored in /root/.ssh and you are reading the key in /Users/m/.ssh when you launch ssh command. Where did the key pair got stored when you executed ssh-keygen ?
-
Martin about 8 yearsthe key is stored in /Users/m/.ssh and I have also tried specifying with the ssh -i parameter to specify the path. With ssh -v I can see that the server is returning seeing the public key but ignoring it (see original post update above). I am clueless