Passwordless root SSH Public Key Authentication on CentOS 6

It’s often useful to be able to SSH to other machines without being prompted for a password. Additionally, if you using tools such as Parallel SSH you will need to setup Public Key SSH Authentication. To set it up is relatively straight forward:

1. On the client machine (ie. the one you are SSH’ing from) you will need to create an SSH RSA key. So run the following command – ensure you don’t supply a password:

[root@node01 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c6:66:93:16:73:0b:bf:46:46:28:7d:a5:38:a3:4d:6d root@node01
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|       . + o     |
|      . @ E      |
|       * & .     |
|      . S =      |
|       = + .     |
|          o      |
|         .       |
|                 |
+-----------------+

This will generate the following files:

[root@node01 ~]# cd ~/.ssh
[root@node02 .ssh]# ls -l
total 8
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-r--r--. 1 root root  406 Jul 27 15:01 id_rsa.pub
3. On the client machine tighten up file system permissions thus:
[root@node01 ~]# chmod 700 ~/.ssh
[root@node01 ~]# chmod 600 ~/.ssh/*
[root@node01 ~]# ls -ld ~/.ssh & ls -l ~/.ssh
drwx------. 2 root root 4096 Jul 27 15:01 /root/.ssh
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-------. 1 root root  406 Jul 27 15:01 id_rsa.pub

4. Now copy the public key to the machine you want to SSH and fix permissions (you will be prompted for the root password):

[root@node01 ~]# ssh root@node02 'mkdir -p /root/.ssh'
[root@node01 ~]# scp /root/.ssh/id_rsa.pub root@node02:/root/.ssh/authorized_keys
[root@node01 ~]# ssh root@node02 'chmod  700 /root/.ssh'
[root@node01 ~]# ssh root@node02 'chmod  600 /root/.ssh/*'
You can also use the utility ssh-copy-id to do the above steps. If you don't have scp on the remote machine you will need to install it:
[root@node01 ~]# ssh root@node02 'yum install openssh-clients'

You should now be able to ssh directory from node01 to node02 without providing a password:

[root@node01 ~]# ssh node02
Last login: Wed Jul 27 15:41:56 2011 from 10.255.5.57
[root@node ~]#

IMPORTANT

There is a bug in CentOS 6 / SELinux that results in all client presented certificates to be ignored when SELinux is set to Enforcing. To fix this simply:

[root@node01 ~]# ssh root@node02 'restorecon -R -v /root/.ssh'
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
Bookmark and Share
Wednesday, July 27th, 2011 FireDaemon Tips & Tricks

25 Comments to Passwordless root SSH Public Key Authentication on CentOS 6

knnniggett
August 14, 2011

Thanks for the bug tip! That solved my problem. Strange thing is that my selinux came disabled out-of-the-box. Despite that, I still had to apply the mentioned “fix” to get root logins to use an ssh key.

Will
August 18, 2011

You mean to say create an SSH RSA key, not DSA.

H4nd0
August 18, 2011

Correct and corrected.

vjsroamingid
September 10, 2011

Thanks for the bug tip! I never had issue on any other distro but centos 6. Your tip helped me a lot.
The only strange thing is that out of 4 machines it always worked on a particular machine and not on others (prior to fix). CentOS 6 does not look to be stable if such a basic operation has bugs!

willowdan
February 26, 2012

Many thanks … spent hours on this issue, then your site came out …

Cheers!

Paul
July 29, 2012

Thanks for the tip. I have a question. All I did was put the authorized_keys file in place. It works great as expected. Once we set up the public key authentication, is there a way to block brute force attempts. What I mean is, does the act of setting up the public key ~force~ the use of the public key? Or can brute force password guessing still take place (on the root account I just installed the public key in. )?

Itas
September 3, 2012

Thanks for the Bug tip :) !

Dach
September 7, 2012

Thank you the fixed my problem.

[...] by Ryan on Oct.09, 2012, under Linux, Servers, Sys Admin Thanks to the footnote here: http://blog.firedaemon.com/2011/07/27/passwordless-root-ssh-public-key-authentication-on-centos-6/ [...]

Steve
October 13, 2012

Thank you for the note about CentOS/SELinux bug. I spent several hours tearing my hair out trying to figure out what I had misconfigured this time, after setting this up hundreds of times before without issue. Fixed SELinux and everything is working now. Thank you again!

Chris
December 18, 2012

Thanks for the bug tip with SELinux. That really helped me out as well. I couldn’t figure out why I couldn’t do ssh key logins!

[...] 如果需经常使用ssh登录服务器,可使用密钥验证的方式,不用每次都输入密码。Server: CentOS 6.3; Client: ubuntu 1204 LTS客户端设置(root): #ssh-keygen                           #生成密钥对 #ssh-copy-id root@centos-server-ip    #把公钥拷贝到server服务器端设置(恢复/root/.ssh目录及下属文件的selinux context):restorecon -R -v /root/.ssh 然后就可以用ssh root@centos-server-ip登录(非root用户需用sudo,否则无法读取/root/.ssh目录下的私钥文件)。一切正常后,可以把/etc/ssh/sshd_config中的PasswordAuthentication从yes改为no:PasswordAuthentication no参考:1. CentOS 6.3 发布说明2. Passwordless root SSH Public Key Authentication on CentOS 6 [...]

alfred
January 16, 2013

Also for me, I have worked on that issue for several days but couldn’t find out why. Thanks for the bug tip that finally help me resolve it.

Franck Horlaville
February 2, 2013

Just to help those who will tear their hair out – don’t skip the permissions part !

Otherwise you can spend weeks typing your password in before thinking of looking up /var/log/secure

–> sshd[22000]: Authentication refused: bad ownership or modes for file /home/theuser/.ssh/authorized_keys

Thanks for a great page

Sators
May 25, 2013

Thanks for the bug tip on the CentOS 6 KeyAuth! Was exactly what I was looking for!

Vartika Sanat
June 2, 2013

Wonderful. The steps worked well.

shadeslayer
June 27, 2013

THanks buddy, the bug fix is an excellent tip. resolved my issue.

Tricky
August 9, 2013

Thanks for the SELinux tip. I’ll add this to my Chef automation.

[...] Here is another recommended resource that pulled the same process. [...]

togusav
November 22, 2013

CentOS 6 bug GRRRRRRRRRRRRRRR

Tx

Mike
January 16, 2014

This is a very good article on SSH login without password. Here is another one that worked for me when I first started doing this. It’s very simple, concise and easy to understand. http://tinyurl.com/m9ztegw

Leave a comment

Translate

EnglishFrenchGermanItalianPortugueseRussianSpanish