How to set up passwordless SSH access for root user

  • I need to configure a machine so software installation can be automated remotely via SSH. Following the wiki, I was able to setup SSH keys so my user can access the machine without a password, but I still need to manually enter my password when I use sudo, which obviously an automated process shouldn't have to do.

    Although my /etc/ssh/sshd_config has PermitRootLogin yes, I can't seem to be able to log in as root, presumably because it's not a "real" account with a separate password.

    How do I configure SSH keys, so a process can remotely log in as root on Ubuntu?

    If you automate installation from a central machine, you can limit the scope of the key so it will only be accepted from the given host. Simply prefix the line in authorized_keys with from="host.ip.goes.here" ssh-rsa [...]

    At the end of the day, this question has a poor title. The user can already log in via ssh with a key without a password but now wants to run sudo without a password. I revised the answer to address both issues as this question is linked as how to generate a paswordless ssh key (due to poor title).

  • Ashimema

    Ashimema Correct answer

    8 years ago

    Part 1 : SSH key without a password

    To set up a passwordless SSH connection for the root user you need to have root access on the server. Easiest method is to temporarily allow root to log in over ssh via password. One way or another you need root access on the server to do this. If you do not have root access on the server, contact the server administrator for help.

    On the client (where you ssh FROM)

    First make a ssh key with no password. I highly suggest you give it a name rather then using the default

    ssh-keygen -f foo
    

    The -f option specifies a file name, foo is an example, use whatever name you wish.

    When you are prompted for a password, just hit the enter key and you will generate a key with no password.

    Next you need to transfer the key to the server. Easiest method is to use ssh-copy-id . To do this you must temporarily allow root to ssh into the server.

    On the server (where you ssh TO)

    edit /etc/ssh/sshd_config

    sudo nano /etc/ssh/sshd_config
    

    Make sure you allow root to log in with the following syntax

    PasswordAuthentication yes
    PermitRootLogin yes
    

    Restart the server

    sudo service ssh restart
    

    Set a root password, use a strong one

    sudo passwd
    

    On the client :

    From the client, Transfer the key to the server

    ssh-copy-id -i ~/.ssh/foo [email protected]
    

    change "foo" the the name of your key and enter your server root password when asked.

    Test the key

    ssh -i ~/.ssh/foo [email protected]
    

    Assuming it works, unset a root password and disable password login.

    On the server :

    sudo passwd -l root
    

    Edit /etc/ssh/sshd_config

    sudo nano `/etc/ssh/sshd_config`
    

    Change the following :

    PasswordAuthentication no
    PermitRootLogin without-password
    

    Restart the server

    sudo service ssh restart
    

    On the client (Test):

    You should now be able to ssh in with your key without a password and you should not be able to ssh in as any user without a key.

    ssh -i ~/.ssh/foo [email protected]
    

    Part 2 : Running commands via sudo without entering a password

    You configure sudo to allow you to run commands without a password.

    This is answered here in two places:

    Of the two, I suggest allowing as few commands as possible (first answer) rather then all commands (second answer).

    @Ashimema - so you make a key ? Where did you make the key ? On the server ? so how does the client machine get the key ? On the client? so how does the key get to the server ? The "proper" ie easiest method is to make the key on the client machine (does not require root) and use `ssh-copy-id` to transfer the key to the server.

    That escalated fast. Personally, I'm not impressed by the complete rewrite from a number of angles but as I'm not a regular contributor here anymore I'm really not in the frame of mind for further trolling. Thank you for linking to `sudo -i` information, it was an interesting read.

    Way to remove lots of helpful comments

    'Make a key'.. original questions clearly stated they had already made a key and linked to documentation on how.

    ssh-copy-id by default does add the users public key to /root/.ssh/authorized_keys.. so you've clearly not answered my question of how you accomplish passwordless ssh to root without the key being present in /root/ssh/authorize_keys

    I was asked to re-write the answer. If you do not like it, revert the changes I made, that is fine with me. `ssh-copy-id` will add the public key to authorized_keys when you sign (log) in via password authentication, this is what ssh-copy-id does. Not to be rude, but your answer was poor quality as you do not need to use sudo to make the key, you did not explain how to transfer the key between server and client, and you do not seem to understand what ssh-copy-id does. I flagged your answer as poor quality and was asked to re-write it.

    ssh-copyid is the easiset method to transfer keys between client and server and does not require physical transfer (flash drive), or manually editing authorized_keys. See https://www.ssh.com/ssh/copy-id "Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server." and "This logs into the server host, and copies keys to the server, and configures them to grant access by adding them to the authorized_keys file. The copying may ask for a password or other authentication for the server."

    for me, `ssh-keygen -f foo` created the key file at `~/foo`, not `~/.ssh/foo` (so `ssh -i ~/.ssh/foo [email protected]` won't find it). I executed `ssh-keygen -f ~/.ssh/foo` instead.

  • You are confusing two different things:

    passwordless log is used to make sure that people can't log into your system remotely by guessing your password. If you can ssh [email protected] and connect without a password, this is set up correctly, and has nothing else to do with this.

    sudo is used to permit a normal user account to do something with super user permissions. This does require the user to type their password. This happens whether you are connected remotely (via passwordless or password-protected SSH) or are local on the machine. You are trying to set sudo to not ask for your password, which is not recommended, but you can learn how to do that via an answer like https://askubuntu.com/a/74083/6161

    Note to future readers of this answer:

    My above answer does not answer the original poster's actual question, it describes what you should do instead. If you really want to allow remote connections directly to the root account, you need to enable the root account (see my comment below). Again, let me say DO NOT allow remote remote log-ins to your root account.

    You're misunderstanding me. I know the difference between SSH and sudo. The problem is that I'm unable to ssh using [email protected] Using my "normal" account and adding it to my sudoers file would accomplish the same thing, but I was trying to do it solely through SSH. This is possible in Redhat based distros. I take your answer to mean this is not possible in Debian based distros.

    @Cerin Ah - you want to enable root log-in http://askubuntu.com/q/44418/6161 Again, this is almost always a ***bad*** idea, ***especially*** when you're allowing external connections. But, the link in the comment describes how to do it.

    Thanks. Since my goal is automated software installation, does it matter whether I add a non-root user to sudoers, or allow root log-in? There both potential security concerns, but one of them is necessary.

    sudo provides more fine-grained control. For instance, you could allow the non-root user to run apt as root without giving a password, but not arbitrary commands. Since your goal is automated software installation, you should use the least privileged solution to your goal.

    @Cerin Yes, it does matter. Beyond what Egil pointed out, http://askubuntu.com/q/16178/6161 is a whole discussion of why logging in a root is a bad idea.

  • Q. Login to remote host as root user using passwordless SSH (for example ssh [email protected]_ip)

    A. In order to login to remote host as root user using passwordless SSH follow below steps.

    1st Step:
    First you have to share local user's public key with remote host root user's authorized_keys file. There are many ways to do so, here is one example.

    https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

    Or you can simply copy paste your public key content to remote host root user's authorized_keys file.

    2nd step:
    Configure ssh to permit passwordless login in remote host. Login to remote host and edit /etc/ssh/sshd_config file then restart ssh service. Do not forget to comment out "PermitRootLogin yes".

    #vim /etc/ssh/sshd_config
    PermitRootLogin without-password
    StrictModes no
    
    #service ssh restart
    

    Comment out #PermitRootLogin yes

    3rd step:
    Test you connection from your local machine using user whose public key is shared earlier.

    $ssh [email protected]_ip
    

    Turns out StrictModes no is important on some systems

  • PermitRootLogin controls whether the user named "root" (to be precise: any user with UID 0) is allowed to login. If you're logging as root, you do not need sudo to perform privileged tasks.

    On the other hand, if you to login on a user account and use sudo without a password, you must configure the sudoers file without having to fiddle with /etc/ssh/sshd_config. See How to make Ubuntu remember forever the password after the first time

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM