In an automated IT world, password-based authentications are not a good choice and will restrict so many abilities. For SSH access, you can easily configure SSH Key based authentication, which is easy to set up and very useful for quick server access. Also, this method is more secure than password-based access since the authentication happens using private and public key pair values.
Warning : Make sure you keep all your private keys in a secure place.
Let us learn this setup in simple 1-2-3 steps.
You can either create a dedicated user for remote access or use any existing user for remote access. For this demo, we will create a new user devops
on remote node – ansible-node1
.
[admin@ansible-node1 ~]$ sudo useradd devops
This step is optional as we don’t need to enable sudo
or password-less sudo access for the user. But some cases like Ansible automation, it is recommended to enable password-less sudo access to make privilege escalation works better.
Add sudo
access for our new user devops
.
[admin@ansible-node1 ~]$ sudo cat /etc/sudoers.d/devops
devops ALL=(ALL) NOPASSWD: ALL
PasswordAuthentication
For First Time AccessFor the first time setup, I am enabling the PasswordAuthentication
in /etc/ssh/sshd_config
file. Please note, this one you have to do on the node you want to manage.
PasswordAuthentication yes
And restart sshd service
$ sudo systemctl restart sshd
Do you want to learn more about Ansible practical use cases? Check the latest book from the author as follows. Available on Packt and Amazon.
On your working host (like ansible controlnode or your jumphost server or your workstation), create the ssh key pair. (Since we want to implement access without any interaction, we will create key pair without a passphrase)
You can execute ssh-keygen
or specify the key type and length; eg: ssh-keygen -t rsa -b 4096 -C "[email protected]"
[admin@ansible-box ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Created directory '/home/devops/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:mmSZGlQS9uN1NslXAOLiF70xHRWnfwtL2Asx3nHskYU devops@ansible-box
The key's randomart image is:
+---[RSA 2048]----+
| +.. . ..oo+oo|
| . + . + o oEoo|
| . + + Xoo..= |
| . o * +.** +..|
| . B S .+ = .o|
| = + o + o|
| . o o . |
| |
| |
+----[SHA256]-----+
Check the generated private key and public key files.
[admin@ansible-box ansible]$ cd ~/.ssh/
[admin@ansible-box .ssh]$ ls -lrta
total 12
-rw-r--r--. 1 admin admin 400 Jun 11 06:46 id_rsa.pub
-rw-------. 1 admin admin 1675 Jun 11 06:46 id_rsa
drwx------. 4 admin admin 110 Jun 11 06:46 ..
-rw-r--r--. 1 admin admin 186 Jun 11 06:55 known_hosts
drwx------. 2 admin admin 57 Jun 11 06:56
Make sure your permission for files are as show above; 600
for private keys.
Now you need to add public key of master/workstation key pair to your nodes – which you want to manage or access from your workstation. There are 2 ways to achieve this.
ssh-copy-id
methodYou need to add keys to this remote node using ssh-copy-id
command (from workstation as shown below). We need to enable PasswordAuthentication
for this, as we need to login with password one time. (And you can disable PasswordAuthentication
after this step. Refer Step 1.3: Enable PasswordAuthentication For First Time Access.)
[admin@ansible-box ansible]$ ssh-copy-id -i ~/.ssh/id_rsa devops@ansible-node1
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/devops/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
devops@ansible-node1's password:
Permission denied, please try again.
devops@ansible-node1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'devops@ansible-node1'"
and check to make sure that only the key(s) you wanted were added
~/.ssh/authorized_keys
file We can copy these public key to ~/.ssh/authorized_keys
on the remote node manually (but the correct way is to use ssh-copy-id command.)
Now we will login to the remote node ansible-node1
using devops
user as shown below.
[admin@ansible-box ansible]$ ssh devops@ansible-node1
Last login: Mon Jun 11 10:02:23 2018
[devops@ansible-node1 ~]$
You can see, ansible-node1
didn’t ask me for any password since devops
user has been already authenticated using the ssh key pair.
If you have multiple keys for multiple projects or server groups, you can mention which ssh keys has to use for connection.
[admin@ansible-box ansible]$ ssh devops@ansible-node1 -i ~/.ssh/id_rsa
Last login: Mon Jun 11 10:05:07 2018 from ansible-box.c.devops-angel.internal
Again, please make sure your private key files are stored in safe and secure place with restricted access.
Read more about ssh keys : SSH Key and Configurations
Disclaimer:
The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.
Tags: authentication · Automation · ssh · ssh key
Gineesh Madapparambath
Gineesh Madapparambath is the founder of techbeatly and he is the co-author of The Kubernetes Bible, Second Edition. and the author of 𝗔𝗻𝘀𝗶𝗯𝗹𝗲 𝗳𝗼𝗿 𝗥𝗲𝗮𝗹-𝗟𝗶𝗳𝗲 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻.
He has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform).
(aka Gini Gangadharan - iamgini.com)
This site uses Akismet to reduce spam. Learn how your comment data is processed.6 Responses
Leave a Reply Cancel reply
Good share
aaa, simple and easy one..
I was doing something wrong and complex one… he he.. no wonder….
Thanks.
[…] Refer How to setup SSH key based authentication. […]
[…] make sure it is available from the machine where you have your Kubespray repository. Also configure password-less ssh key based access to new […]
[…] Also read : Password-less SSH Access in Linux […]
[…] a system’s authentication or authorization mechanisms are flawed, then this type of vulnerability is known as broken […]