In this tutorial I will explain how to set up passwordless SSH login on an Ubuntu server.
There are basically two ways of authenticating user login with OpenSSH server: password authentication and public key authentication. The latter is also known as passwordless SSH login because you don’t need to enter your password.
Also we will disable the password authentication and root login as well. As an alternate we will create another user.
Step 1: Create new Non-Root User
Create new user
First of all we will create a new ssh user (Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Debian 10, and Debian 11). This is VERY IMPORTANT to create a Non-Root user before disabling the root user login otherwise you will be locked out from your server!
Log in as the root user on the desired server.
ssh root@xxx.xxx.xxx.xxx
- To create a new user named
admin, enter the following command:adduser admin
Enter the desired password and repeat it.
- Optional: Enter additional user information. To skip entering this information, press Enter.
Changing the user information for admin Enter the new value, or press ENTER for the default Full Name [ ]: Room Number [ ]: Work Phone [ ]: Home Phone [ ]: Other [ ]: Is the information correct? [Y/n]
Type Y and press Enter.
In next step we will assign our new user sudo rights
Assigning Sudo Rights to a User
To assign sudo privileges to a user in Debian and Ubuntu, you must add the user to the sudo group. To add the user to this group, enter the following command:
usermod -aG sudo admin
To check if the change was successful, enter the following command :
groups admin
Example output:
admin : admin sudo
Upto this step you have create a non root user with sudo privileges.
Testing Sudo-Enabled Users
To test whether the sudo permissions work, do the following:
- To change the user, enter the following command:
su admin
- To test sudo rights let’s list the contents of the /root directory. To do this, type the following command:
sudo ls -la /root
The first time you use sudo in a session, you are prompted for the user admin‘s password.
Enter the admin‘s password.
You are acting as super user now.
Step 2: Create Key Pair
In this step will create a new Key pair(Public/Private) on our machine. Remember that we can create this on our desktop or on server using OpenSSH Client but eventually the public key will be placed on server and private key will be used in the local machine. So better to create it in your local machine.
To create a key/pair we will use ssh-keygen tool. This tool is available on most Linux based system by default. If it is not please install it.
On your terminal , enter the following command:
ssh-keygen -t rsa -b 4096
Where:
-tstands fortype. The above command generates an RSA type keypair. RSA is the default type.-bstands forbits. By default the key is 3072 bits long. We use a 4096 bits key for stronger security.
Name your key, for example myserver_name_rsa. If you simply press Enter to use the default file it will create a key par with id_rsa. Next, enter a good passphrase at least 20 characters long. The passphrase is used to encrypt the private key.
- The private key will be save as
myserver_name_rsafile in your current directory. - The public key will be save as
myserver_name_rsa.pubfile in your current directory.
Test whether key-pair created successfully
file myserver_name_rsa
Should show:
myserver_name_rsa: OpenSSH private key
Now it is time to copy your public key to your server. Run the following command to copy it.
ssh-copy-id -i myserver_name_rsa.pub admin@xxx.xxx.xxx.xxx
Enter the current password when prompted to. It should result in:
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'admin@xxx.xxx.xxx.xxx'" and check to make sure that only the key(s) you wanted were added.
Note: All you need to do is to copy public key to ~/.ssh folder on your server for current user.
Once key is on your server you are ready to try your first login with ssh key-pair. Type the following command:
ssh -l admin -i /path_to_your_key_file/myserver_name_rsa xxx.xxx.xxx.xxx
If everything goes good you should be in without prompting for a password!
Step 3: Disable Root Login
Edit the /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd_config
Find PasswordAuthentication set to no too:
PasswordAuthentication no
Additionally you can turn off the Keyboard based Interactive Authentication by turning off the following authentication types.
Find/edit/add KbdInteractiveAuthentication and set to no:
KbdInteractiveAuthentication no
Search for UsePAM and set to no, too:
UsePAM no
Finally you can turn off root login. Find PermitRootLogin and set it to no:
PermitRootLogin no #PermitRootLogin prohibit-password
You can use the systemctl command for systemd based Linux distros:
sudo systemctl reload ssh
Step 4 – Verify
In order test whether root login or login with password is disabled. First, try to login as root:
ssh root@xxx.xxx.xxx.xxx
Should result in:
Permission denied (publickey).
Next try to login as user admin which we created in first step. Try:
ssh admin@xxx.xxx.xxx.xxx -o PubkeyAuthentication=no
Should also result in:
Permission denied (publickey).
Conclusion
In this article we learned a way to disable password authentication for SSH logins on Linux server. We also disabled root user login to the server but before that we created an admin user. Following this article you can setup your server to accept only ssh key based authentication and reject any password or Keyboard Interactive login attempts.