HOWTO: SSH & Public Keys

[Beernut]

Since SSH (Secure Shell) scans are so common anymore I wanted to add better protection to my server so I configured SSH to only allow logins with public & private keys instead of password authentication. This is how I set it up on Ubuntu however it should work on any version of Linux. Don't be afraid of the length of this tutorial it's really pretty simple and only a few commands. This HowTo ended up longer than I anticipated because I wanted to explain each step as best I could.

This HowTo assumes that you already have SSH installed properly.

The first thing we need to do is generate the key pair. On your host computer go to "Applications">"System Tools">"Terminal" note this is your regular user terminal not a root terminal. Enter the following command at the terminal.

Code:

username@ubuntu:~$ ssh-keygen -t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_dsa):
 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:
 
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
5b:ab:73:32:9e:b8:8c:4b:29:dc:2a:2b:8c:2f:4e:45 username@ubuntu

As you see above I chose the default location for the keys which is in the .ssh/ directory in your home directory. At the "Enter passphrase" prompt enter a strong password. This password is needed to use the key so this adds some security in case your private key ever gets stolen. Your private key needs to be protected.

This will generate a DSA key pair. If you notice I say pair it generates a private key id_dsa and your public key id_dsa.pub which we will copy to the server.

Next we need to copy the public key to the server.

Code:

username@ubuntu:~$ cd .ssh/

This moves you into .ssh directory where the keys were saved. Now to copy the public key to the server.

Code:

username@ubuntu:~$ scp id_dsa.pub serverusername@192.168.1.40:./id_dsa.pub

id_dsa.pub    100% |*****************************************************|  
 614  00:00

The "scp" command allows files to be copied to/from a remote server using the SSH protocol to establish a secure connection and to encrypt all data passing between the client and the server.

Now that we copied the public key to the server we have to install the key in the proper directory. To do this login to the server using ssh and your usual password. We still aren't using public key authentication yet but we are close. Once logged into the server issue the following command in the terminal. Note you don't need to be logged in as root just login with your normal user account.

Code:

username@server:~$ cd .ssh
serverusername@server:~$ touch authorized_keys2
serverusername@server:~$ chmod 600 authorized_keys2
serverusername@server:~$ cat ../id_dsa.pub >> authorized_keys2
serverusername@server:~$ rm ../id_dsa.pub

Ok so here we set the file permissions to 600 which is gives only the owner read and write access. Then we added the key to the file called authorized_keys2. Note it's important to use the >> because that adds the key to the file without any line breaks. Then finally we removed the key id_dsa.pub from the server. Now if you logout and log back in you should see that you are using the key authentication as shown below.

Code:

username@ubuntu:~$ ssh -l serverusername 192.168.1.40
Enter passphrase for key '/home/serverusername/.ssh/id_dsa':
Linux everest 2.6.10-5-386 #1 Tue Apr 5 12:12:40 UTC 2005 i686 GNU/Linux

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
You have new mail.
Last login: Mon Apr 25 19:43:43 2005 from 192.168.1.15
serverusername@everest:~$

There is one more step and that is to disable password authentication on the server. Once this is set the only way to login will be with private and public keys. In order to accomplish this we have to change a line in the ssh_conf file on the server. The ssh_con file is located in the following location on the server /etc/ssh/ssh_config. Once in the file look for the following line:

Code:

#   PasswordAuthentication yes

Change to:
  
PasswordAuthentication no
UsePAM no

Now that wasn't so bad was it? I am not an expert with this I just put this together from searching around on my own and figured I would put it all together in one place in case I needed to do this again and hopefully it will help someone else out.

[airhead]

Quote:

Originally Posted by Beernut Next we need to copy the public key to the server. Code: username@ubuntu:~$ cd .ssh/ This moves you into .ssh directory where the keys were saved. Now to copy the public key to the server. Code: username@ubuntu:~$ scp id_dsa.pub serverusername@192.168.1.40:./id_dsa.pub id_dsa.pub 100% |*****************************************************| 614 00:00 The "scp" command allows files to be copied to/from a remote server using the SSH protocol to establish a secure connection and to encrypt all data passing between the client and the server. Now that we copied the public key to the server we have to install the key in the proper directory. To do this login to the server using ssh and your usual password. We still aren't using public key authentication yet but we are close. Once logged into the server issue the following command in the terminal. Note you don't need to be logged in as root just login with your normal user account. Code: username@server:~$ cd .ssh serverusername@server:~$ touch authorized_keys2 serverusername@server:~$ chmod 600 authorized_keys2 serverusername@server:~$ cat ../id_dsa.pub >> authorized_keys2 serverusername@server:~$ rm ../id_dsa.pub Ok so here we set the file permissions to 600 which is gives only the owner read and write access. Then we added the key to the file called authorized_keys2. Note it's important to use the >> because that adds the key to the file without any line breaks. Then finally we removed the key id_dsa.pub from the server. Now if you logout and log back in you should see that you are using the key authentication as shown below.

Nice howto I'm not sure if you're aware if it, but the above can essentially be replaced with the "ssh-copy-id" command. As far as I'm aware, its only a debian thing. The only real difference to the above is that it copies your key to a file called "authorized_keys" instead of "authorized_keys2", but it still works the same.

I'm glad you said that the user must enter a password. IMO, if you don't passphrase your key, you're asking for trouble

You might also like to add something about ssh-add as it saves you from entering your passphrase everywhere.

[Heliode]

Thanks for the howto! But how do I disable regular password authentication now that this is in place?

[Beernut]

Quote:

Originally Posted by Heliode Thanks for the howto! But how do I disable regular password authentication now that this is in place?

I forgot about this part I'll add it to the HOWTO above. You need to edit the following file on the server. /etc/ssh/ssh_config now there are a few ways to do this like below.

Code:

sudo vim /etc/ssh/ssh_config

sudo gedit /etc/ssh/ssh_config  (Enter this one only if you are on the server.)

If you know how to use the VI editor you edit the file from terminal on a remote host. I am not that good with VI so I won't even attempt to tell you how to do it that way.

When you open the file all you have to do is change the following line to no.

Code:

#   PasswordAuthentication no

That should do it for you.

[Beernut]

Quote:

Originally Posted by airhead Nice howto I'm not sure if you're aware if it, but the above can essentially be replaced with the "ssh-copy-id" command. As far as I'm aware, its only a debian thing. The only real difference to the above is that it copies your key to a file called "authorized_keys" instead of "authorized_keys2", but it still works the same. I'm glad you said that the user must enter a password. IMO, if you don't passphrase your key, you're asking for trouble You might also like to add something about ssh-add as it saves you from entering your passphrase everywhere.

Thanks. I just found the "ssh-copy-id" command but wasn't sure if it would work the same. The file is named "authorized_key2" so that if you want to have seperate keys for Protocol 1 & Protocol 2 versions of ssh. I am going to try it on my Suse box to see if it is just a Debian thing or not.

I hate blank passwords or passphrases. Why go through the trouble of securing you server and then leave that out?

Thanks for the hint on ssh-add command I'll have to look into it. Does that just remember your password for the current session?

[airhead]

Quote:

Originally Posted by Beernut Thanks for the hint on ssh-add command I'll have to look into it. Does that just remember your password for the current session?

Thats correct.

When turning off password auth, I found that my debian testing version of sshd already had "PasswordAuthentication no". To really turn it off, you need to set "UsePAM no" (as sshd uses pam instead of doing the authentication itself).

[Heliode]

Hey, i'm probably doing something wrong here,but i've set password authentication to 'no' on my (Gentoo) server in the /etc/ssh/ssh_config file, but I can still logg in with my regular password if I just hit enter when it asks me for the passphrase for the key. any idea what might be causing this?

[heon2574]

Quote:

Originally Posted by Beernut When you open the file all you have to do is change the following line to no. Code: # PasswordAuthentication no That should do it for you.

I think you should remove that comment (#) after chaning it to "no."

EDIT: wait a sec..whay are we setting up "password authentication no" in ssh_config? Isn't it sshd_config we should be changing?

[Beernut]

OOPS Missed the comment that's the bad thing with copy and paste. As far as changing it in the sshd_config file I don't have one on my system. At least not in /etc/ssh/ which is where it should be according to the documentaion at OpenSSH.

Also I don't see the anything about the "UsePAM no" option in the manual.

Code:

man ssh_config

[dmccarney]

Great howto. Very easy to follow. I have only one question: You explained how to generate the keypair on two Ubuntu boxes, I'm curious. I run the SSHD at home on my ubuntu box but often connect from my workplace using Putty. How does one go about generating another keypair on windows with Putty?