SSH: Passwordless Authentication
ssh is an amazing protocol, and the beauty of it lies not only in its cryptographic security but also in ease of usage. One of the most unique features of ssh is to use it without using password, generally referred to as ##STARTCODEBLOCK## passwordless authentication##ENDCODEBLOCK## or ##STARTCODEBLOCK## Key based authentication##ENDCODEBLOCK##
This in general provides, a better security model as the keys cannot be bruteforced (they can be but bruteforcing them would need a very powerful machine and a VERY long time.)
Uses
-
Allows Secure way of logging into your machine
-
Prevents password misuse or remembering of the passwords in general
-
Eases the process of utilizing ssh for scripting from client side
-
Enhances Security in the long run.
Enabling Passwordless Authentication
So suppose that the machine you want to securely authenticate with is:
testuser@testuser.host.ircnow.org##ENDCODEBLOCK##
and password is ##STARTCODEBLOCK##
test123##ENDCODEBLOCK##
then from the client machine (your machine through which you are connecting to vps) there are in general three ways to transfer your ssh keys:
1. Using ##STARTCODEBLOCK##
ssh-copy-id##ENDCODEBLOCK##
command (**Only works on few linux distros**)
For this, all you need to do is ##STARTCODEBLOCK##
ssh-copy-id testuser@testuser.host.ircnow.org##ENDCODEBLOCK##
and then enter your password, and ssh again and it will not ask password again.
2. Copying using ssh
Well, this is slightly manual method, but basically you copy paste it to the remote machine and provide password.
##STARTCODEBLOCK##
cat ~/.ssh/id_rsa.pub | sshtestuser@testuser.host.ircnow.org "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"##ENDCODEBLOCK##
3. Manually Copying by sshing into the server
Technically same method as above, but instead of a string of pipes and ssh, you manually copy paste the passwords in `~/.ssh/authorized_keys`
### Disabling Password authentication
This is important as so far, we have enabled password less auth, but we have not disabled the password login, this basically defeats the purpose of security as the others can still try to brute force your passwords.
So as to do that, edit ##STARTCODEBLOCK##
/etc/ssh/ssh_config##ENDCODEBLOCK##
and add
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
kill -HUP `cat /var/run/sshd.pid`
# Notice the ` before cat and after pid.