[ HELPFUL TIP ] SSH Passwordless Login across your LAN

[Jerry]

Yes, both service commands work, I got no errors in the terminal here. One of my servers updates automatically once a day, so my server will be up to date. I'll edit the tutorial and add the systemd command. Cheers

[trinidad]

I may be wrong here Jerry, but doesn't Xenial ssh server use systemd syntax commands? For example isn't the command - sudo service ssh restart now in the syntax - sudo systemctl restart ssh, though perhaps both work in some cases, but they did not both work for me when I tested both. Also the /etc/ssh/sshd_configure file reads differently for example - PermitRootLogin: prohibit -password. Perhaps my ssh server is a newer version? I'll be using and posting the sytemd syntax in the next tutorial which will include key generation, and ssh tunnel with x11vnc and Remmina.

TC

[Jerry]

Why use SSH Passwordless Login instead of your good ole password?
Simple, the chances to crack a high bit key are effectively zero (insert NSA paranoia here), while bad passwords are all to common, let alone people brute-forcing your server.

Client = Linux Lite
Server = Ubuntu Server only

1. On the client, generate a key pair:

Code: [Select]

ssh-keygen -t rsa -b 4096
choose a very strong password (10 or more characters - letters, upper & lower case, numbers and characters eg. %^#*)

This will give you 2 files, id_rsa and id_rsa.pub with 4096 bit encryption.

2. On the Server do:

Code: [Select]

mkdir .ssh
touch .ssh/authorized_keys
nano .ssh/authorized_keys
Copy the contents of id_rsa.pub from your client into authorized_keys on the Server, then Save with Ctrl+o and Ctrl+x.

3. Change permissions of 'authorized_keys' and the '.ssh' folder on the Server to:

Code: [Select]

chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
Do: ls -l .ssh on the server, it should read:

Code: [Select]

-rw------- 1 user user 744 Sep  5 21:41 authorized_keys
4. On the Server do:

Code: [Select]

sudo nano /etc/ssh/sshd_config
Change:

Code: [Select]

#PasswordAuthentication yes
to

Code: [Select]

PasswordAuthentication no
and the following to:

Code: [Select]

PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
In the same file, change the port number from 22 to a 4 digit number eg. 7685 (this should avoid someone brute-forcing your server, you could strengthen more via your firewall, but that's another tutorial)

Save with Ctrl+o and Ctrl+x.

5. On the Server do:

Code: [Select]

sudo systemctl restart ssh
or

Code: [Select]

sudo service ssh restart

6. On the Client:

Code: [Select]

ssh-add -k ~/.ssh/id_rsa
enter key password/s when prompted.

7. Create the following file in your home folder:

Code: [Select]

touch .bash_profile
nano .bash_profile
copy the following into the file:

Code: [Select]

if [ -z "$SSH_AUTH_SOCK" ] ; then
  eval `ssh-agent -s`
  ssh-add
fi
this will ensure you're not asked for your ssh passphrase after a reboot.

Connect to Server with:

Code: [Select]

ssh -p 7685 [email protected]
Should work on a WAN too, just remember to port forward 7685 on your Router if you want to connect from the outside.

Folks are welcome to add additional security tips to this thread providing they work with the above set up.