Passwordless SSH Logins with SSH Keys

July 10, 2023 |

Login with SSH Key

Use keyfile logins when possible and even disable password logins over SSH to ensure that connections come from only authorized machines. This is done by generating a private key on the target machine and distributing a public key to each client machine. You generate the private key on the client machine, and copy the public key to the server.

Keyfile logins can be used in CI/CD pipelines by adding the public key as a variable to the CI/CD build machine.

Here’s how to set it up:

1. On the client machine (the machine that you want to use to access resources from a server or build machine), create an SSH Key pair.

   ssh-keygen -t rsa
   Enter file in which to save the key (/Users/clientMachineUser/.ssh/id_rsa): 
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   

   You can give the keyfile a name, or just accept the default (id_rsa). Whenever you get the public key of that private key (id_rsa.pub), you can transfer that to the client machines that need to access the target machine.

   A passphrase will slow our login down a bit. Don’t include one in your CI/CD pipeline. Although a an SSH Passphrase can be added as a Gitlab variable.

2. Copy the public key to the server using scp:

   scp ~/.ssh/id_rsa.pub pete@192.168.0.229:~
   

3. SSH into the server computer using password auth one last time:

   ssh pete@192.168.0.229
   Password:
   
   # If .ssh dir and authorized_keys file already exists, 
   # skip the next two commands:
   mkdir -p ~/.ssh
   touch ~/.ssh/authorized_keys
   
   # copy the contents of the public key into an authorized_keys file:
   cat ~/id_rsa.pub >> ~/.ssh/authorized_keys 
   tail ~/.ssh/authorized_keys 
   
   # remove the public key from the server.
   rm ~/id_rsa.pub
   
   #return to client machine
   exit
   

4. On your client machine, edit (or create) an .ssh/config file to include a reference to the IdentifyFile location as well as details about the connection and a shortname for the connection. for example:

   Host servermachine
           HostName 192.168.0.229
           User pete
           IdentityFile ~/.ssh/id_rsa
   

5. On your client machine, test the connection with the new, simplified connection string: ssh servermachine

6. If you have set a passphrase for the key authentication, you have to enter it, similarly to how you previously had to enter a password. But again, this measure increases the security of the connection.

   ssh servermachine
   Enter passphrase for key '/Users/clientMachineUser/.ssh/id_rsa': 
   

7. If you want disable password authentication for SSH (ensuring that only registered client machines can access the server), edit the /etc/ssh/sshd_config file and set PasswordAuthentication to no.

   PasswordAuthentication no
   

   Then restart the ssh service, depending on the OS of the server: service ssh restart

   There are also more advanced things you can do with these sshd_config settings, such as disabling ROOT login. See this article for more information.

So that’s cool. You are ready for setting up CI/CD pipelines that automatically log into your build machine to start using resources. Or, you have just set up an easy keyword to log into that server for performing Server Sync and backup tasks.