Password-less authetication on CentOS / Red Hat

You can achieve password less authentication for FreeIPA clients by entering public key into FreeIPA server, this short tutorial will show you how.

We will use CentOS 8 for this tutorial

We will first login as domain user named korisnik to our client machine

su korisnik

We will create public/private key using OpenSSH tools

(korisnik is user I’m using, and test.local is the name of the domain.)

ssh-keygen -t rsa -C korisnik@test.local

You will be asked for save location (I selected default) and password to protect file – enter strong one

Our public key is stored in id_rsa.pub, and we can see it by typing in

ssh-keygen -t rsa -C korisnik@test.local

Ok, we got the key

Open Identity Management on FreeIPA server (or on client with FreeIPA admin user) and log in

Select Identity | Users | Active Users

I will select user named “korisnik”

In the Account Settings portion of the user screen there is SSH public keys option – select Add

Now, copy the public key you got in terminal before, make sure you copy whole value, and after that select Set

You can add multiple keys for one user, but let’s say we are done, and confirm by selecting Save on top of user profile, above Identity Settings 

After we pressed Save, SSH public key value changed its appearance

That is it, we are done.

Same result ofcoure can be achieved through terminal by entering following commands

ipa user-mod korisnik --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkidT6JlvCsdG7zwhRibQFX6ya8WhVe0rfc5bzhYh/kaCT8ONshKVbJ8nAuzBz4WxA6SCtrAv1np70fvFsTB3fQ7Sn/j+ywytfn4zEkCjzC+otLvd/9hSl+07OJ+buQjTLGeSQeLWIZOo9HGzY7WXz/eZW6LFM2Vl+EjzhdudCdRsOzX1S2ytbLe7oVrFG+EmHQtDu+ViiR2+PGSwN2GTGBI+RWCCG5pSxVnga+8pFlAE6N4owG+I2Dve6EbPJNfPoOkX3qpL5gLo25U5xVYlyQUmvtWwUn6Tl2swpPOOZWwvF0TpOal76NGvH2OlALHN4T0Xbzj+p4jz0kjJ5V6Qx korisnik@test.local"

Multiple keys can be uploaded by adding –sshpubkey

Deleting public keys – trough web interface follow steps mentioned above and at SSH public keys option select Delete.

If you are doing in through terminal you will need following commands

kinit admin
ipa user-mod --sshpubkey= korisnik

Disclaimer