Saturday, July 27, 2013

Passwordless root SSH Public Key Authentication on CentOS 6

It's often useful to be able to SSH to other machines without being prompted for a password. Additionally, if you using tools such as Parallel SSH you will need to setup Public Key SSH Authentication. To set it up is relatively straight forward:

On the client machine (ie. the one you are SSH'ing from) you will need to create an SSH RSA key. So run the following command - ensure you don't supply a password:

[root@node01 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
c6:66:93:16:73:0b:bf:46:46:28:7d:a5:38:a3:4d:6d root@node01
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|       . + o     |
|      . @ E      |
|       * & .     |
|      . S =      |
|       = + .     |
|          o      |
|         .       |
|                 |

This will generate the following files:

[root@node01 ~]# cd ~/.ssh
[root@node02 .ssh]# ls -l
total 8
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-r--r--. 1 root root  406 Jul 27 15:01

On the client machine tighten up file system permissions thus:

[root@node01 ~]# chmod 700 ~/.ssh
[root@node01 ~]# chmod 600 ~/.ssh/*
[root@node01 ~]# ls -ld ~/.ssh & ls -l ~/.ssh
drwx------. 2 root root 4096 Jul 27 15:01 /root/.ssh
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-------. 1 root root  406 Jul 27 15:01

Now copy the public key to the machine you want to SSH and fix permissions (you will be prompted for the root password):

[root@node01 ~]# ssh root@node02 'mkdir -p /root/.ssh'
[root@node01 ~]# scp /root/.ssh/ root@node02:/root/.ssh/authorized_keys
[root@node01 ~]# ssh root@node02 'chmod  700 /root/.ssh'
[root@node01 ~]# ssh root@node02 'chmod  600 /root/.ssh/*'

You can also use the utility ssh-copy-id to do the above steps. If you don't have scp on the remote machine you will need to install it:

[root@node01 ~]# ssh root@node02 'yum install openssh-clients'

You should now be able to ssh directory from node01 to node02 without providing a password:

[root@node01 ~]# ssh node02
Last login: Wed Jul 27 15:41:56 2011 from
[root@node ~]#

IMPORTANT There is a bug in CentOS 6 / SELinux that results in all client presented certificates to be ignored when SELinux is set to Enforcing. To fix this simply:

[root@node01 ~]# ssh root@node02 'restorecon -R -v /root/.ssh'
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
20-Jun-2014 03:20 AM - knnniggett
Thanks for the bug tip! That solved my problem. Strange thing is that my selinux came disabled out-of-the-box. Despite that, I still had to apply the mentioned "fix" to get root logins to use an ssh key.
20-Jun-2014 03:20 AM - Will
You mean to say create an SSH RSA key, not DSA.
20-Jun-2014 03:20 AM - James Bourne
Correct and corrected.
20-Jun-2014 03:20 AM - vjsroamingid
Thanks for the bug tip! I never had issue on any other distro but centos 6. Your tip helped me a lot.
The only strange thing is that out of 4 machines it always worked on a particular machine and not on others (prior to fix). CentOS 6 does not look to be stable if such a basic operation has bugs!
20-Jun-2014 03:20 AM - Quickies: public key authentication on CentOS 6 « 0ddn1x: tricks with *nix
[...] Leave a Comment TrackBack URI [...]
20-Jun-2014 03:20 AM - willowdan
Many thanks ... spent hours on this issue, then your site came out ...

[...] [...]
20-Jun-2014 03:20 AM - Paul
Thanks for the tip. I have a question. All I did was put the authorized_keys file in place. It works great as expected. Once we set up the public key authentication, is there a way to block brute force attempts. What I mean is, does the act of setting up the public key ~force~ the use of the public key? Or can brute force password guessing still take place (on the root account I just installed the public key in. )?
20-Jun-2014 03:20 AM - Itas
Thanks for the Bug tip :)!
20-Jun-2014 03:20 AM - Dach
Thank you the fixed my problem.
20-Jun-2014 03:20 AM - CentOS 6 authorized_keys bug «
[...] by Ryan on Oct.09, 2012, under Linux, Servers, Sys Admin Thanks to the footnote here: [...]
20-Jun-2014 03:20 AM - Steve
Thank you for the note about CentOS/SELinux bug. I spent several hours tearing my hair out trying to figure out what I had misconfigured this time, after setting this up hundreds of times before without issue. Fixed SELinux and everything is working now. Thank you again!
20-Jun-2014 03:20 AM - Chris
Thanks for the bug tip with SELinux. That really helped me out as well. I couldn't figure out why I couldn't do ssh key logins!
20-Jun-2014 03:20 AM - Linux over clouds - CentOS 6.3 Server SSH 密钥登录
[...] 如果需经常使用ssh登录服务器,可使用密钥验证的方式,不用每次都输入密码。Server: CentOS 6.3; Client: ubuntu 1204 LTS客户端设置(root): #ssh-keygen                           #生成密钥对 #ssh-copy-id root@centos-server-ip    #把公钥拷贝到server服务器端设置(恢复/root/.ssh目录及下属文件的selinux context):restorecon -R -v /root/.ssh 然后就可以用ssh root@centos-server-ip登录(非root用户需用sudo,否则无法读取/root/.ssh目录下的私钥文件)。一切正常后,可以把/etc/ssh/sshd_config中的PasswordAuthentication从yes改为no:PasswordAuthentication no参考:1. CentOS 6.3 发布说明2. Passwordless root SSH Public Key Authentication on CentOS 6 [...]
20-Jun-2014 03:20 AM - alfred
Also for me, I have worked on that issue for several days but couldn't find out why. Thanks for the bug tip that finally help me resolve it.
20-Jun-2014 03:20 AM - Franck Horlaville
Just to help those who will tear their hair out - don't skip the permissions part !

Otherwise you can spend weeks typing your password in before thinking of looking up /var/log/secure

--> sshd[22000]: Authentication refused: bad ownership or modes for file /home/theuser/.ssh/authorized_keys

Thanks for a great page
20-Jun-2014 03:20 AM - Sators
Thanks for the bug tip on the CentOS 6 KeyAuth! Was exactly what I was looking for!
20-Jun-2014 03:20 AM - Vartika Sanat
Wonderful. The steps worked well.
20-Jun-2014 03:20 AM - shadeslayer
THanks buddy, the bug fix is an excellent tip. resolved my issue.
20-Jun-2014 03:20 AM - Building a CentOS 6.4 cluster | mikeinminnesota
[...] Get loginless ssh going:  You may need to reset SELinux.  On the target, do a “restorecon -R -v /root/.ssh” – see [...]
20-Jun-2014 03:20 AM - Llaves RSA | El Rincon de SUCTO
[...] [...]
20-Jun-2014 03:20 AM - Tricky
Thanks for the SELinux tip. I'll add this to my Chef automation.
20-Jun-2014 03:20 AM - SELINUX – When you least expect it. « An Admin's Life For Me.
[...] Here is another recommended resource that pulled the same process. [...]
20-Jun-2014 03:20 AM - togusav

20-Jun-2014 03:20 AM - Mike
This is a very good article on SSH login without password. Here is another one that worked for me when I first started doing this. It's very simple, concise and easy to understand.

Captcha Image

Recent Posts



Sign up for Product Updates and Discounts
Captcha Image