In many situations (like when using scripts to access different systems) a user needs to be able to remotely authenticate without specifying the password.
Luckily, it is very easy to do this, using ssh-keygen.
In this example I will be using 2 RHEL 7 systems, server1 and server2 and will configure the ssh key based authentication.
Key generation is done using ssh-keygen. This will generate the private and public keys. ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
Permissions must be 600 on the private key and 644 on the public key.
To generate the keys run:
[root@server1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f1:37:5d:d8:91:d4:33:f2:da:3d:aa:4b:fd:f5:df:d0 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
| .oo|
| . *o|
| . + =|
| o . o |
| S . o + .|
| ..o +.|
| . .o E|
| . ...+|
| oo .=|
+-----------------+
And on server2:
[root@server2 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
4a:85:79:d3:95:22:84:23:a2:2b:b5:e3:dc:29:ae:94 root@server2
The key's randomart image is:
+--[ RSA 2048]----+
| o. .. |
| . . oo..... |
| . . .o.+... |
|. . o . |
| o . . S |
|o + . . |
|.E o .. |
|. + o |
|.o.. |
+-----------------+
Now copy the key to the system that needs to login remotely, or from each as in this example:
[root@server1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@server2
The authenticity of host 'server2 (192.168.221.185)' can't be established.
ECDSA key fingerprint is 33:bb:1f:3d:85:5b:1f:1e:7d:c8:5a:1f:6a:44:55:49.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new key
s
root@server2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@server2'"
and check to make sure that only the key(s) you wanted were added.
[root@server1 ~]# ssh root@server2
Last login: Sat Oct 10 20:15:18 2015 from 192.168.221.1
[root@server2 ~]#
And on server2:
[root@server2 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@server1
The authenticity of host 'server1 (192.168.221.184)' can't be established.
ECDSA key fingerprint is 0e:7d:a1:03:c4:bc:c7:71:36:dd:a4:5b:b3:09:4f:e0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new key
s
root@server1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@server1'"
and check to make sure that only the key(s) you wanted were added.
[root@server2 ~]# ssh root@server1
Last login: Sun Oct 11 01:14:55 2015 from 192.168.221.1
[root@server1 ~]#
That's it, now I can ssh into the remote server using a public key and run commands:
[root@server2 ~]# ssh root@server1 ls
anaconda-ks.cfg
[root@server2 ~]#