Passwordless SSH on CentOS

The CentOS wiki page misses out a crucial step in setting up passwordless SSH.

Whilst the wiki provides most of the information required to set up passwordless SSH on CentOS, namely:

  • Creating SSH keys
  • Setting key permissions correctly
  • Ensuring correct SELinux contexts
  • Setting “PasswordAuthentication no” in /etc/ssh/sshd_config

If there is a problem with the key then this setup will still go ahead and ask for a password when trying to connect via SSH. Which is probably not what you want if you are trying to turn off password authentication. To resolve this you must again edit /etc/ssh/sshd_config and set:

ChallengeResponseAuthentication no

By default it is set to ‘yes’ (this is an interesting difference between CentOS and Ubuntu).

Don’t forget to restart the SSH service after making changes otherwise they won’t be updated:

sudo service sshd restart

 

Further problems:
If you still cannot connect using your SSH key there is very likely a permissions problem. Your ‘ssh’ folder should have read, write and execute permission for the owner only (700) and the ‘authorized_keys’ file should have read and write permissions for the owner only (600):

sudo chmod 700 /home/USER/.ssh
sudo chmod 600 /home/USER/.ssh/authorized_keys

I’ve also seen the problem that the home directory permissions are not set correctly (which will also cause the passwordless SSH to fail). There are a number of discussions online about what the ‘correct’ permissions for the home directory should be (here for example) but the default values will work for SSH:

sudo chmod 755 /home/USER/

If you still have a problems you can look at the verbose output of the SSH command (e.g. ssh user@address -v) and also check the SSH logs on the machine you are trying to connect to:

In Ubuntu:

tail -F /var/log/auth.log

In CentOS:

tail -F /var/log/secure

 

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.