[UPD:2020-10-16] Passwordless SSH login & filesystem mount (HOWTO)

Once you have set up your ssh keys on the remote host (the server), and also on the local client (your PC), you can connect without (necessarily) having to input a password. To make this secure, the 2 connecting machines need to establish that you’re an OK person on both sides by exchanging keys which are setup in advance (by you and/or your sysadmin).

• You need to ensure you’re at the right server
• via ~/.ssh/known_hosts
• The server needs to establish that you’re allowed in
• via ~/.ssh/authorised_keys

SSH doesn’t like it if your home or ~/.ssh directories have group write permissions. If this is the case, you might get chucked out even though everything looks like it is OK.

example:
remote server

• IP address: 192.168.1.111
• username: USER001
• sshd running on (non-standard) port 11122
• RSA 2048 keys (You should have this info (from the server/sysadmin) to verify/ensure that you’re connecting to the right place. If they don’t match – something is WRONG!)
• MD5:24:06:00:35:00:68:32:19:39:bf:f9:5a:a3:19:a8:b8
• SHA256:M6119PDXRT4isH8BmRWZzsVPd3qsdzEZBEonV24f24U

At the intended server console, logged in as root or a sudo privileged user….

# nano /etc/ssh/sshd_config; #and allow root to login with a password 
  # Find the line that says #PermitRootLogin prohibit-password
  # change it to `PermitRootLogin yes` and then `systemctl restart ssh`
  # (This is TEMPORARY and will be disabled as soon as we have done the PKI portion a few lines down)
perl -pi -e 's/^#?(PermitRootLogin )(.*?)$/#$1$2\n#$1 yes/' /etc/ssh/sshd_config; #TEMPORARILY ALLOW root+password logins
# cat /etc/ssh/sshd_config | grep -i PermitRootLogin; #4DBG#
systemctl restart ssh;

Now… at YOUR workstation…[You should have your system set up for PKIs already (ie. you SHOULD have ~/.ssh/id_rsa.pub on YOUR system) or this entire process will fail].

#set some variables
SSHREMOTE="192.168.1.111"; SSHUSER="USER001"; SSHPORT="11122";

#upload local client (Your PC's) ssh keys to the remote host (server's) AUTH'd keys file
cat ~/.ssh/id_rsa.pub | ssh -p $SSHPORT $SSHUSER@$SSHREMOTE "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
##some systems also allow an alternative method to do this...
#ssh-copy-id -p $SSHPORT $SSHUSER@$SSHREMOTE

#set correct permissions
ssh -p $SSHPORT $SSHUSER@$SSHREMOTE "chmod go-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys"

#test the connection
ssh -p $SSHPORT $SSHUSER@$SSHREMOTE

sudo perl -pi -e 's/^#?(PermitRootLogin )(.*?)$/#$1$2\n$1 prohibit-password/' /etc/ssh/sshd_config; #revert to NOT allowing root+password logins
cat /etc/ssh/sshd_config | grep -i PermitRootLogin; #cat:4DBG#
sudo systemctl restart ssh;

The shell prompt should look something like this
USER001@192.168.1.111:~$

which means (roughly)
username
@(remote) hostname/IP
:current subdir (/home/USER001 in this case – verify by typing “pwd”)
$privilege ($ is normal, # indicates root – it is UNWISE (to say the very least) to login as root directly)

Secure FileSystem mount:
IF you’re on a LAN, and/or speed is not a major issue, you can also mount the remote filesystem (“locally”) via SSH to make file copying/viewing/editing easier (using sshfs). Obviously you need to have appropriate permissions to see/edit the files.

sudo apt install -y sshfs;
SSHPORT="11122"; SSHREMOTE="192.168.1.111"; SSHUSER="USER001"; #if you are still in the same TTY session, you should already have these SET
sshfsMountPoint="$HOME/MNT/tempFS"; mkdir -p "$sshfsMountPoint";  #set a local mountpoint for the server’s filesystem
sshfs $SSHUSER@$SSHREMOTE:/ $sshfsMountPoint -p $SSHPORT -o IdentityFile=~/.ssh/id_rsa