Linux - Password less SSH Login

In this blog I will show how to enable a password less SSH access, I will use SSH key-based authentication. This method uses a public/private key pair to authenticate without needing a password.

1. Generate SSH Key Pair on Your Local Machine(Node A)

(Node A) ssh-keygen -t rsa

It will ask two prompts as below - if you do not want to change default values which is empty password simply hit enter twice.

• Press Enter to accept the default location (~/.ssh/id_rsa)
• Leave the passphrase empty for true password less login

 2. Copy the Public Key to the Remote Server(Node B)

ssh-copy-id username@nodeb

• This appends your public key to the remote server’s ~/.ssh/authorized_keys
• You’ll be prompted for the remote user’s password once

If ssh-copy-id command isn’t installed , use:

cat ~/.ssh/id_rsa.pub | ssh username@nodeb "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

 3. Set Correct Permissions on Remote Server

ssh username@nodeb "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

 4. Test Passwordless Login

ssh username@nodeb

You should now log in without being prompted for a password.

Linux User SSH Access Control

Technology growth is rapid, implementing solutions without proper restriction would cause data leak, cyberattacks. First line of defence for any solution would be its users. Granting granular privilege and role based access is one of the critical task that should be implemented.

SSH is Secure SHELL protocol works on port 22. In Linux, Users over remote connect to administer and manage daily activities on the server. There are multiple security ways of handling user access. In this blog I will be writing how we will restrict SSH access to server. 

Create a Group in Linux that will contain all the users who will be provided SSH access to the server. 

#groupadd ssh-users

You can also specify a group id for this group and maintain it across your environment to manage it with config automation tools like ansible and others in a large scale in future. 

#groupadd -g 3000 ssh-users

Create user and add to the ssh-users group 

# useradd -c "SSH Allowed user" -m -d /home/karthick -s /bin/bash -aG ssh-users karthick 

where, 

-c is comment for a administrator to identify what user or a brief about the user. 

-d is mention home directory of the user 

-s is login shell that the user will be using. 

-a is to append user to the mentioned group

-G is to add user to the secondary groups mentioned.

SSH Restriction

Edit the sshd_config file under /etc/ssh/sshd and add the following line in the end.

AllowGroups ssh-users

Restart the sshd service. 

#systemctl restart sshd

Now, ssh will be restricted to all users, except for those who are added in this ssh-users group.

Ansible Automation

I have written a sample ansible play to automate these tasks in my git - SSH-Restriction

Best Practices: 

Never allow any Privileged/Admin accounts Remote SSH Access.

Always provide SSH access to normal user and then allow sudo escalation or su to privileged user with password. 

References:

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_handlers.html

OS: 

RHEL, SUSE Linux, Centos