In this tutorial I will explain how to set up passwordless SSH login on an Ubuntu server.
There are basically two ways of authenticating user login with OpenSSH server: password authentication and public key authentication. The latter is also known as passwordless SSH login because you don’t need to enter your password.
Also we will disable the password authentication and root login as well. As an alternate we will create another user.
Step 1: Create new Non-Root User
Create new user
First of all we will create a new ssh user (Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Debian 10, and Debian 11)
-
Log in as the root user on the desired server.
ssh root@xxx.xxx.xxx.xxx
- To create a new user named
admin
, enter the following command:[root@localhost ~]# adduser admin
-
Enter the desired password and repeat it.
- Optional: Enter additional user information. To skip entering this information, press Enter.
Changing the user information for admin Enter the new value, or press ENTER for the default Full Name [ ]: Room Number [ ]: Work Phone [ ]: Home Phone [ ]: Other [ ]: Is the information correct? [Y/n]
-
Type Y and press Enter.
Assigning Sudo Rights to a User
To assign sudo privileges to a user in Debian and Ubuntu, you must add the user to the sudo group. To add the user to this group, enter the following command:
[root@localhost ~]# usermod -aG sudo admin
To check if the change was successful, enter the following command :
[root@localhost ~]# groups admin
Example output:
admin : admin sudo
Testing Sudo-Enabled Users
To test whether the sudo permissions work, do the following:
- To change the user, enter the following command:
[root@localhost ~]# su admin
- To test sudo rights let’s list the contents of the /root directory. To do this, type the following command:
[admin@localhost root]$ sudo ls -la /root
-
The first time you use sudo in a session, you are prompted for the user’s password.
-
Enter the user’s password.
- You are acting as super user now.
Step 2: Create Key Pair
In this step will create a new Key pair(Public/Private) on our machine. Remember that we can create this on our desktop or on server using OpenSSH Client but eventually the public key will be placed on server and private key will be used in the local machine. So better to create it in your local machine.
To create a key/pair we will use ssh-keygen tool. This tool is available on most Linux based system by default. If it is not please install it.
On your terminal , enter the following command:
ssh-keygen -t rsa -b 4096
Where:
-t
stands fortype
. The above command generates an RSA type keypair. RSA is the default type.-b
stands forbits
. By default the key is 3072 bits long. We use a 4096 bits key for stronger security.
Name your key, for example myserver_name_rsa
. If you simply press Enter
to use the default file it will create a key par with id_rsa. Next, enter a good passphrase at least 20 characters long. The passphrase is used to encrypt the private key.
- The private key will be save as
myserver_name_rsa
file in your current directory. - The public key will be save as
myserver_name_rsa
.pub
file in your current directory.
Test whether key-pair created successfully
file myserver_name_rsa
Should show:
myserver_name_rsa: OpenSSH private key
Now it is time to copy your public key to your server. Run the following command to copy it.
ssh-copy-id -i myserver_name_rsa.pub admin@xxx.xxx.xxx.xxx
Enter the current password when prompted to. It should result in:
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'admin@xxx.xxx.xxx.xxx'" and check to make sure that only the key(s) you wanted were added.
Note: All you need to do is to copy public key to ~/.ssh
folder on your server for current user.
Once key is on your server you are ready to try your first login with ssh key-pair. Type the following command:
ssh -l admin -i /path_to_your_key_file/myserver_name_rsa xxx.xxx.xxx.xxx
If everything goes good you should be in without prompting for a password!
Step 3: Disable Root Login
Edit the /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd_config
Find/edit/add ChallengeResponseAuthentication and set to no:
ChallengeResponseAuthentication no
Next, find PasswordAuthentication set to no too:
PasswordAuthentication no
Search for UsePAM and set to no, too:
UsePAM no
Finally look for PermitRootLogin and set it to no too:
PermitRootLogin no #PermitRootLogin prohibit-password
We can use the systemctl command for systemd based Linux distros:
sudo systemctl reload ssh
Step 4 – Verify
In order test whether root login or login with password is disabled. First, try to login as root:
ssh root@xxx.xxx.xxx.xxx
Should result in:
Permission denied (publickey).
Next try to login as user admin which we created in first step. Try:
ssh admin@xxx.xxx.xxx.xxx -o PubkeyAuthentication=no
Should also result in:
Permission denied (publickey).
Conclusion
And there you are. You have disabled password authentication for SSH including root user. Your server will now only accept key based login and the root user can not login with password.