Saturday, July 27, 2013

Passwordless root SSH Public Key Authentication on CentOS 6

It's often useful to be able to SSH to other machines without being prompted for a password. Additionally, if you using tools such as Parallel SSH you will need to setup Public Key SSH Authentication. To set it up is relatively straight forward:

On the client machine (ie. the one you are SSH'ing from) you will need to create an SSH RSA key. So run the following command - ensure you don't supply a password:

[[email protected] ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
c6:66:93:16:73:0b:bf:46:46:28:7d:a5:38:a3:4d:6d [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|       . + o     |
|      . @ E      |
|       * & .     |
|      . S =      |
|       = + .     |
|          o      |
|         .       |
|                 |

This will generate the following files:

[[email protected] ~]# cd ~/.ssh
[[email protected] .ssh]# ls -l
total 8
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-r--r--. 1 root root  406 Jul 27 15:01

On the client machine tighten up file system permissions thus:

[[email protected] ~]# chmod 700 ~/.ssh
[[email protected] ~]# chmod 600 ~/.ssh/*
[[email protected] ~]# ls -ld ~/.ssh & ls -l ~/.ssh
drwx------. 2 root root 4096 Jul 27 15:01 /root/.ssh
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-------. 1 root root  406 Jul 27 15:01

Now copy the public key to the machine you want to SSH and fix permissions (you will be prompted for the root password):

[[email protected] ~]# ssh [email protected] 'mkdir -p /root/.ssh'
[[email protected] ~]# scp /root/.ssh/ [email protected]:/root/.ssh/authorized_keys
[[email protected] ~]# ssh [email protected] 'chmod  700 /root/.ssh'
[[email protected] ~]# ssh [email protected] 'chmod  600 /root/.ssh/*'

You can also use the utility ssh-copy-id to do the above steps. If you don't have scp on the remote machine you will need to install it:

[[email protected] ~]# ssh [email protected] 'yum install openssh-clients'

You should now be able to ssh directory from node01 to node02 without providing a password:

[[email protected] ~]# ssh node02
Last login: Wed Jul 27 15:41:56 2011 from
[[email protected] ~]#

IMPORTANT There is a bug in CentOS 6 / SELinux that results in all client presented certificates to be ignored when SELinux is set to Enforcing. To fix this simply:

[[email protected] ~]# ssh [email protected] 'restorecon -R -v /root/.ssh'
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
15-Jul-2014 10:28 AM - Anonymous
the only guide that actually worked! i think i was effected by that bug! thanks a whole bunch
23-Aug-2014 05:53 AM - Johan
I follow the instructions precisely but I am always prompted for a password.
If I set sshd_config "PasswordAuthentication no" the connection is rejected.
I have selinux disabled on the target machine.

This is what happens when I try to connect:
[[email protected] .ssh]# ssh -v
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:14
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Can anyone please post the matching sshd_config on the target machine
04-Sep-2014 01:53 PM - hater
The CentOS hint is pretty good, but you should better change the documentation, not to replace authorized_keys with the and instead add the pubkey to the authorized_keys. If there are already other keys in the authorized_keys file they get overwritten by your method.
16-Oct-2014 10:17 PM - pmhargis
For CentOS 6.5, I also had to edit the /etc/ssh/sshd_config file and add this line:

PermitRootLogin without-password
06-Feb-2015 02:15 PM - Anonymous
Thanks for the bug tip. It saved a lot of time.
03-Apr-2015 05:59 PM - DM
Thanks so much for the restorecon -R -v /root/.ssh fix
07-May-2015 04:38 AM - Asep Saepuloh
Thank's, it's work
16-Sep-2015 03:37 PM - Cezariusz
Thank you for the information about the SELinux bug. I've spent hours trying to figure out what am I doing wrong.

Captcha Image

Recent Posts



    Sign up for Product Updates and Discounts
    Captcha Image