Steps to Set up PasswordLess SSH Login on Ubuntu with Key Pair

In this tutorial I will explain how to set up passwordless SSH login on an Ubuntu server.

There are basically two ways of authenticating user login with OpenSSH server: password authentication and public key authentication. The latter is also known as passwordless SSH login because you don’t need to enter your password.

Also we will disable the password authentication and root login as well. As an alternate we will create another user.

Step 1: Create new Non-Root User

Create new user

First of all we will create a new ssh user (Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Debian 10, and Debian 11)

1. Log in as the root user on the desired server.

   ssh root@xxx.xxx.xxx.xxx

2. To create a new user named admin, enter the following command:

   [root@localhost ~]# adduser admin

3. Enter the desired password and repeat it.

4. Optional: Enter additional user information. To skip entering this information, press Enter.

   Changing the user information for admin
   Enter the new value, or press ENTER for the default
   Full Name [ ]:
   Room Number [ ]:
   Work Phone [ ]:
   Home Phone [ ]:
   Other [ ]:
   Is the information correct? [Y/n]

5. Type Y and press Enter.

Assigning Sudo Rights to a User

To assign sudo privileges to a user in Debian and Ubuntu, you must add the user to the sudo group. To add the user to this group, enter the following command:

[root@localhost ~]# usermod -aG sudo admin

To check if the change was successful, enter the following command :

[root@localhost ~]# groups admin

Example output:

admin : admin sudo

Testing Sudo-Enabled Users

To test whether the sudo permissions work, do the following:

1. To change the user, enter the following command:

   [root@localhost ~]# su admin

2. To test sudo rights let’s list the contents of the /root directory. To do this, type the following command:

   [admin@localhost root]$ sudo ls -la /root

3. The first time you use sudo in a session, you are prompted for the user’s password.

4. Enter the user’s password.

5. You are acting as super user now.

Step 2: Create Key Pair

In this step will create a new Key pair(Public/Private) on our machine. Remember that we can create this on our desktop or on server using OpenSSH Client but eventually the public key will be placed on server and private key will be used in the local machine. So better to create it in your local machine.

To create a key/pair we will use ssh-keygen tool. This tool is available on most Linux based system by default. If it is not please install it.

On your terminal , enter the following command:

ssh-keygen -t rsa -b 4096

Where:

• -t stands for type. The above command generates an RSA type keypair. RSA is the default type.
• -b stands for bits. By default the key is 3072 bits long. We use a 4096 bits key for stronger security.

Name your key, for example myserver_name_rsa. If you simply press Enter to use the default file it will create a key par with id_rsa. Next, enter a good passphrase at least 20 characters long. The passphrase is used to encrypt the private key.

• The private key will be save as myserver_name_rsa file in your current directory.
• The public key will be save as myserver_name_rsa.pub file in your current directory.

Test whether key-pair created successfully

file myserver_name_rsa

Should show:

myserver_name_rsa: OpenSSH private key

Now it is time to copy your public key to your server. Run the following command to copy it.

ssh-copy-id -i myserver_name_rsa.pub admin@xxx.xxx.xxx.xxx

Enter the current password when prompted to. It should result in:

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'admin@xxx.xxx.xxx.xxx'"
and check to make sure that only the key(s) you wanted were added.

Note: All you need to do is to copy public key to ~/.ssh folder on your server for current user.

Once key is on your server you are ready to try your first login with ssh key-pair. Type the following command:

ssh -l admin -i /path_to_your_key_file/myserver_name_rsa xxx.xxx.xxx.xxx

If everything goes good you should be in without prompting for a password!

Step 3: Disable Root Login

Edit the /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd_config

Find/edit/add ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Next, find PasswordAuthentication set to no too:

PasswordAuthentication no

Search for UsePAM and set to no, too:

UsePAM no

Finally look for PermitRootLogin and set it to no too:

PermitRootLogin no
#PermitRootLogin prohibit-password

We can use the systemctl command for systemd based Linux distros:

sudo systemctl reload ssh

Step 4 – Verify

In order test whether root login or login with password is disabled.  First, try to login as root:

ssh root@xxx.xxx.xxx.xxx

Should result in:

Permission denied (publickey).

Next try to login as user admin which we created in first step. Try:

ssh admin@xxx.xxx.xxx.xxx -o PubkeyAuthentication=no

Should also result in:

Permission denied (publickey).

Conclusion

And there you are. You have disabled password authentication for SSH including root user. Your server will now only accept key based login and the root user can not login with password.