How to setup SSH Key passwordless login in Red Hat Enterprise Linux

Solution Verified - Updated 7 Aug 2024

---

Environment

• Red Hat Enterprise Linux 9
• Red Hat Enterprise Linux 8
• Red Hat Enterprise Linux 7
• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 5

Issue

• How to setup SSH password less login

• How do I setup SSH passwordless login?

• How to install SSH identity key onto a remote host on Red Hat Enterprise Linux

• How to transfer files between servers via ssh without username/password

• Getting below error on ssh client side even after appending rss public key to remote server:

  Trying below from primary server after configuring rsa key:
  [user@ssh-client.example.com ~]$ ssh someuser@10.0.0.1
  Connection closed by 10.0.0.1
  

• Getting below error on ssh server side in /var/log/secure:

  sshd[xxxx]: Authentication refused: bad ownership or modes for directory /home/XXX
  

Resolution

Note: For more detailed explanation, consult the Chapter 34. Using secure communications between two systems with OpenSSH, specifically 34.4. Generating SSH key pairs

1. Generate SSH key

If an SSH authentication-key file does not exist, generate one by running the ssh-keygen command
When prompted for a passphrase, use a blank passphrase if fully password-less login is required:

[user@ssh-client.example.com ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ecdsa.
Your public key has been saved in /home/user/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:Q/x+qms4j7PCQ0qFd09iZEFHA+SqwBKRNaU72oZfaCI user@ssh-client.example.com
The key's randomart image is:
+---[ECDSA 256]---+
|.oo..o=++        |
|.. o .oo .       |
|. .. o. o        |
|....o.+...       |
|o.oo.o +S .      |
|.=.+.   .o       |
|E.*+.  .  . .    |
|.=..+ +..  o     |
|  .  oo*+o.      |
+----[SHA256]-----+

2. Install the Public Key to User Account in Server

Choose either of the following method to install the public key to the user account in server.

2.a. With ssh-copy-id

If you can ssh to the server with password, and the package openssh-clients is installed in the server, then you can use the ssh-copy-id command to install the public half of the newly-generated authentication key into a specific user's home directory on the server:

[user@ssh-client.example.com ~]$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub user@ssh-server.example.com
user@ssh-server's password:

When prompted, provide the password of the remote user.
The ssh-copy-id command will then automatically append the identity information into the ~/.ssh/authorized_keys file for the specified user on the remote host (creating ~/.ssh and ~/.ssh/authorized_keys if necessary)

2.b. With ssh and cat

If you can ssh to the server, but openssh-clients is not installed in the server, the following command help to copy the public key to server:

[user@ssh-client.example.com ~]$ cat ~/.ssh/id_ecdsa.pub | ssh user@ssh-server.example.com "cat >> ~/.ssh/authorized_keys"

2.c. Work with ~/.ssh/authorized_keys in server directly

If you can login to server terminal, you can edit ~/.ssh/authorized_keys in server and add the content of your public key.

For example, to add the content of ~/.ssh/id_ecdsa.pub in client(ssh-client.example.com) to server(ssh-server.example.com), edit the ~/.ssh/authorized_keys in server(ssh-server.example.com) and paste it like:

Before:

Host (ssh-client.example.com)

[user@ssh-client.example.com ~]# cat ~/.ssh/id_ecdsa.pub
ecdsa-sha2-nistp256 BBBBBE2VjZHNhLXNoYTItbmlzdHAyNTYBBBBIbmlzdH1111AAABBBFIv/yAbGAnT1qi2MEsLTAAB8v+YJfJoarEV8uUuKaVEnKyR/FblcI/lbwZ3pqxfalqNuqxQJHhAaJuJkE0jlnI= user@ssh-client.example.com

Host (ssh-server.example.com)

[user@ssh-server.example.com ~]# cat ~/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdH1111AAABBBFIv/yAbGAnT1qi2MEsLTAAB8v+YJfJoarEV8uUuKaVEnKyR/FblcI/lbwZ3pqxfalqNuqxQJHhAaJuJkE0jlnI= user1@example-1.com

After:

Host (ssh-server.example.com)

[root@ssh-server.example.com ~]# cat ~/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdH1111AAABBBFIv/yAbGAnT1qi2MEsLTAAB8v+YJfJoarEV8uUuKaVEnKyR/FblcI/lbwZ3pqxfalqNuqxQJHhAaJuJkE0jlnI= user1@example-1.com
ecdsa-sha2-nistp256 BBBBBE2VjZHNhLXNoYTItbmlzdHAyNTYBBBBIbmlzdH1111AAABBBFIv/yAbGAnT1qi2MEsLTAAB8v+YJfJoarEV8uUuKaVEnKyR/FblcI/lbwZ3pqxfalqNuqxQJHhAaJuJkE0jlnI= user@ssh-client.example.com

Be sure that file permissions are correct:

~]$ ls -ld  ~/.ssh
drwx------. 2 user user 29 Sep 18 08:30 /home/user/.ssh

~]$ ls -l ~/.ssh/authorized_keys 
-rw-------. 1 user user 568 Sep 18 08:30 /home/user/.ssh/authorized_keys

3. Try the Setting

Now try logging into the machine with:

[user@ssh-client.example.com ~]$ ssh user@ssh-server.example.com

It should not require entering a passphrase. If it still prompts for a passphrase and you want passwordless authentication then use the "ssh-add" to add the passphrase to the authentication agent as noted in section 34.8. Connecting to remote machines with SSH keys using ssh-agent

Please also view the ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.

4. Logout and then initiate an ssh connection again --

A. Troubleshooting

If you failed to login using SSH publickey authentication, check the following:

A.1 File mode in server

Ensure the file mode looks like:

[user@ssh-server.example.com ~]$ ls -ld ~/{,.ssh,.ssh/authorized_keys*}
drwx------. 25 user user 4096 Aug 21 11:01 /home/user/
drwx------.  2 user user 4096 Aug 17 13:13 /home/user/.ssh
-rw-------.  1 user user  420 Aug 17 13:13 /home/user/.ssh/authorized_keys

Group must not have w permission on above three files/directories. If the file modes are incorrect, fix it with:

[user@ssh-server.example.com ~]$ chmod 600 ~/.ssh/authorized_keys
[user@ssh-server.example.com ~]$ chmod 700 ~/.ssh/

Alternatively, to make sshd file modes and ownership checking, turn off StrictModes in /etc/ssh/sshd_config in server like:

StrictModes no

And restart sshd service in server.

Note that this does not apply when ChrootDirectory, whose permissions and ownership are always checked.

A.2. SELinux label in Server

SELinux can also potentially prevent sshd from accessing the ~/.ssh directory on the server.

This problem can be ruled out (or resolved) by running restorecon as follows on the remote user's ~/.ssh directory:

[user@ssh-server.example.com ~]$ restorecon -Rv ~/.ssh

A.3. Allow RSA public key authentication on server

Ensure following options in /etc/ssh/sshd_config in server are:

RSAAuthentication yes
PubkeyAuthentication yes

To disable password authentication, add the following configuration in /etc/ssh/sshd_config:

PasswordAuthentication no

To enable the change, restart the SSH daemon.

For RHEL 7 and later

[root@ssh-server.example.com ~]# systemctl restart sshd

For RHEL 5 and 6

[root@ssh-server.example.com ~]# service sshd restart

B. Additional Comments

• To prevent unauthorized use of a ssh private key, make sure to enter a passphrase when generating a key with ssh-keygen
• For Red Hat Enterprise Linux 4 and below, refer to How to setup SSH password-less login on Red Hat Enterprise Linux 4 and below

Diagnostic Steps

• If the ssh-copy-id -i ~/.ssh/id_rsa.pub user@ssh-server.example.com command syntax is used and the an attempted login is tried and a passphrase is prompted for (and this is not desired), then please create a new key with ssh-keygen. Hit enter to leave the key passphrase blank (if desired).

• Example Output:

[root@ssh-client.example.com ~]# ssh root@ssh-server.example.com
Enter passphrase for key '/root/.ssh/id_rsa': 
Enter passphrase for key '/root/.ssh/id_rsa': 
Enter passphrase for key '/root/.ssh/id_rsa': 
root@ssh-server.example.com's password: 
Last login: Sat Apr 12 19:51:39 2014 from ssh-server.example.com

• After regenerating the key:

[root@ssh-client.example.com ~]# ssh root@ssh-server.example.com
Last login: Sat Apr 12 19:54:14 2014 from ssh-server.example.com
[root@ssh-server.example.com ~]# 

• The Enter passphrase for key prompt no longer appears.

• Check if the following line is uncommented in the /etc/ssh/sshd_config file in the ssh server.

  AuthorizedKeysFile     .ssh/authorized_keys

This is default.

If user's AuthorizedKeysFile is /root/.ssh/authorized_keys, this caused the ssh server to look for the authorized_keys in the /root file system instead of /home/user/authorized_keys file.

SBR

• Services

Product(s)

• Red Hat Enterprise Linux

Components

• crypto-utils
• openssh

Category

• Configure

Tags

• configuration
• rhel
• rhel_5
• rhel_6
• rhel_7
• rhel_8
• rhel_9
• security
• ssh

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.