How to set up passwordless SSH access for root user
I need to configure a machine so software installation can be automated remotely via SSH. Following the wiki, I was able to setup SSH keys so my user can access the machine without a password, but I still need to manually enter my password when I use
sudo, which obviously an automated process shouldn't have to do.
PermitRootLogin yes, I can't seem to be able to log in as root, presumably because it's not a "real" account with a separate password.
How do I configure SSH keys, so a process can remotely log in as root on Ubuntu?
If you automate installation from a central machine, you can limit the scope of the key so it will only be accepted from the given host. Simply prefix the line in authorized_keys with from="host.ip.goes.here" ssh-rsa [...]
At the end of the day, this question has a poor title. The user can already log in via ssh with a key without a password but now wants to run sudo without a password. I revised the answer to address both issues as this question is linked as how to generate a paswordless ssh key (due to poor title).
Part 1 : SSH key without a password
To set up a passwordless SSH connection for the root user you need to have root access on the server. Easiest method is to temporarily allow root to log in over ssh via password. One way or another you need root access on the server to do this. If you do not have root access on the server, contact the server administrator for help.
On the client (where you ssh FROM)
First make a ssh key with no password. I highly suggest you give it a name rather then using the default
ssh-keygen -f foo
The -f option specifies a file name, foo is an example, use whatever name you wish.
When you are prompted for a password, just hit the enter key and you will generate a key with no password.
Next you need to transfer the key to the server. Easiest method is to use
ssh-copy-id. To do this you must temporarily allow root to ssh into the server.
On the server (where you ssh TO)
sudo nano /etc/ssh/sshd_config
Make sure you allow root to log in with the following syntax
PasswordAuthentication yes PermitRootLogin yes
Restart the server
sudo service ssh restart
Set a root password, use a strong one
On the client :
From the client, Transfer the key to the server
ssh-copy-id -i ~/.ssh/foo [email protected]
change "foo" the the name of your key and enter your server root password when asked.
Test the key
ssh -i ~/.ssh/foo [email protected]
Assuming it works, unset a root password and disable password login.
On the server :
sudo passwd -l root
sudo nano `/etc/ssh/sshd_config`
Change the following :
PasswordAuthentication no PermitRootLogin without-password
Restart the server
sudo service ssh restart
On the client (Test):
You should now be able to ssh in with your key without a password and you should not be able to ssh in as any user without a key.
ssh -i ~/.ssh/foo [email protected]
Part 2 : Running commands via sudo without entering a password
You configure sudo to allow you to run commands without a password.
This is answered here in two places:
Of the two, I suggest allowing as few commands as possible (first answer) rather then all commands (second answer).
@Ashimema for sudo -i see https://ubuntuforums.org/showthread.php?t=1817402 and https://askubuntu.com/questions/376199/sudo-su-vs-sudo-i-vs-sudo-bin-bash-when-does-it-matter-which-is-used and https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells
@Ashimema - so you make a key ? Where did you make the key ? On the server ? so how does the client machine get the key ? On the client? so how does the key get to the server ? The "proper" ie easiest method is to make the key on the client machine (does not require root) and use `ssh-copy-id` to transfer the key to the server.
That escalated fast. Personally, I'm not impressed by the complete rewrite from a number of angles but as I'm not a regular contributor here anymore I'm really not in the frame of mind for further trolling. Thank you for linking to `sudo -i` information, it was an interesting read.
'Make a key'.. original questions clearly stated they had already made a key and linked to documentation on how.
ssh-copy-id by default does add the users public key to /root/.ssh/authorized_keys.. so you've clearly not answered my question of how you accomplish passwordless ssh to root without the key being present in /root/ssh/authorize_keys
I was asked to re-write the answer. If you do not like it, revert the changes I made, that is fine with me. `ssh-copy-id` will add the public key to authorized_keys when you sign (log) in via password authentication, this is what ssh-copy-id does. Not to be rude, but your answer was poor quality as you do not need to use sudo to make the key, you did not explain how to transfer the key between server and client, and you do not seem to understand what ssh-copy-id does. I flagged your answer as poor quality and was asked to re-write it.
ssh-copyid is the easiset method to transfer keys between client and server and does not require physical transfer (flash drive), or manually editing authorized_keys. See https://www.ssh.com/ssh/copy-id "Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server." and "This logs into the server host, and copies keys to the server, and configures them to grant access by adding them to the authorized_keys file. The copying may ask for a password or other authentication for the server."
Trying to move discussion to meta - https://meta.askubuntu.com/questions/17246/updated-an-question-answer
You are confusing two different things:
passwordless log is used to make sure that people can't log into your system remotely by guessing your password. If you can ssh [email protected] and connect without a password, this is set up correctly, and has nothing else to do with this.
sudois used to permit a normal user account to do something with super user permissions. This does require the user to type their password. This happens whether you are connected remotely (via passwordless or password-protected SSH) or are local on the machine. You are trying to set
sudoto not ask for your password, which is not recommended, but you can learn how to do that via an answer like https://askubuntu.com/a/74083/6161
Note to future readers of this answer:
My above answer does not answer the original poster's actual question, it describes what you should do instead. If you really want to allow remote connections directly to the root account, you need to enable the root account (see my comment below). Again, let me say DO NOT allow remote remote log-ins to your root account.
You're misunderstanding me. I know the difference between SSH and sudo. The problem is that I'm unable to ssh using [email protected] Using my "normal" account and adding it to my sudoers file would accomplish the same thing, but I was trying to do it solely through SSH. This is possible in Redhat based distros. I take your answer to mean this is not possible in Debian based distros.
@Cerin Ah - you want to enable root log-in http://askubuntu.com/q/44418/6161 Again, this is almost always a ***bad*** idea, ***especially*** when you're allowing external connections. But, the link in the comment describes how to do it.
Thanks. Since my goal is automated software installation, does it matter whether I add a non-root user to sudoers, or allow root log-in? There both potential security concerns, but one of them is necessary.
sudo provides more fine-grained control. For instance, you could allow the non-root user to run apt as root without giving a password, but not arbitrary commands. Since your goal is automated software installation, you should use the least privileged solution to your goal.
Q. Login to remote host as root user using passwordless SSH (for example ssh [email protected]_ip)
A. In order to login to remote host as root user using passwordless SSH follow below steps.
First you have to share local user's public key with remote host root user's authorized_keys file. There are many ways to do so, here is one example.
Or you can simply copy paste your public key content to remote host root user's authorized_keys file.
Configure ssh to permit passwordless login in remote host. Login to remote host and edit /etc/ssh/sshd_config file then restart ssh service. Do not forget to comment out "PermitRootLogin yes".
#vim /etc/ssh/sshd_config PermitRootLogin without-password StrictModes no #service ssh restart
Comment out #PermitRootLogin yes
Test you connection from your local machine using user whose public key is shared earlier.
$ssh [email protected]_ip
PermitRootLogin controls whether the user named "root" (to be precise: any user with UID 0) is allowed to login. If you're logging as root, you do not need
sudoto perform privileged tasks.
On the other hand, if you to login on a user account and use
sudowithout a password, you must configure the sudoers file without having to fiddle with
/etc/ssh/sshd_config. See How to make Ubuntu remember forever the password after the first time