RHEL7: Configure SSH key-based authentication.

Share this link

Note: This is an RHCSA 7 exam objective and an RHCE 7 exam objective.

Presentation

Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2.

Configuration Procedure

On the server1, create a user user01 with password user01:

# useradd user01
# passwd user01
Changing password for user user01.
New password: your password
Retype new password: your password
passwd: all authentication tokens updated successfully.

On the server2, create the same user with password user01:

# useradd user01
# passwd user01
Changing password for user user01.
New password: your password
Retype new password: your password
passwd: all authentication tokens updated successfully.

On the server1, connect as this new user:

# su - user01

Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):

[user01@server1 ~]$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user01/.ssh/id_rsa): return
Created directory '/home/user01/.ssh'.
Enter passphrase (empty for no passphrase): return
Enter same passphrase again: return
Your identification has been saved in /home/user01/.ssh/id_rsa.
Your public key has been saved in /home/user01/.ssh/id_rsa.pub.
The key fingerprint is:
6d:ac:45:32:34:ac:da:4a:3b:4e:f2:83:85:84:5f:d8 user01@server1.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|       .o        |
|       ...       |
| . o   .o .      |
|. o E .  *       |
| o o o  S =      |
|  o + .  +       |
|  .+.o  .        |
|  .+=            |
|   .oo           |
+-----------------+

Still on server1, copy the public key to server2.

[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com
The authenticity of host 'server2.example.com (192.168.1.49)' can't be established.
ECDSA key fingerprint is 67:79:67:88:7f:da:31:49:7b:dd:ed:40:af:ae:b6:ae.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user01@server2.example.com's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user01@server2.example.com'"
and check to make sure that only the key(s) you wanted were added.

On the server2, edit the /etc/ssh/sshd_config file and set the following options:

PasswordAuthentication no
PubkeyAuthentication yes

Note: Don’t hesitate to set up a virtual console access on server2, this will avoid re-installing the physical/virtual server if something goes wrong.

Restart the sshd service:

# systemctl restart sshd

Testing Time

On the server1 as user01, connect to the server2:

[user01@server1 ~]$ ssh server2.example.com

Note1: This configuration can also be done for the root account.
Note2: Use -v, -vv, or -vvv options to get some debug information.

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

8 Comments on "RHEL7: Configure SSH key-based authentication."

Notify of
Sort by:   newest | oldest
wzjordan
Member
wzjordan

Thank you, this is the best guide I’ve seen for this task. I’ll be using this site more in the future to prepare for my RHCSA.

redhat0329
Member
redhat0329

Hi CertDepot,

I think it is also advisable to set the “PermitRootLogin” to “no” on server2 based on your example? Don’t know if this is a good idea and if I will do this on the exam.

alexritm
Member
alexritm

Hello,
I cannot ssh-copy-id for user created on IPA server (ipa user-add). I cant even log in via SSH under this user. For local users it works.
Is it a problem in terms of the exam? Should I dig into it?

alexritm
Member
alexritm

Is it necessary to know SSH agent configuration steps?

wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Set up time services pointing to default time servers.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria and back up the database with mysqldump.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...