Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: HOWTO: SSH & Public Keys

  1. #1
    Join Date
    Apr 2005
    Beans
    116
    Distro
    Ubuntu 8.04 Hardy Heron

    HOWTO: SSH & Public Keys

    Since SSH (Secure Shell) scans are so common anymore I wanted to add better protection to my server so I configured SSH to only allow logins with public & private keys instead of password authentication. This is how I set it up on Ubuntu however it should work on any version of Linux. Don't be afraid of the length of this tutorial it's really pretty simple and only a few commands. This HowTo ended up longer than I anticipated because I wanted to explain each step as best I could.

    This HowTo assumes that you already have SSH installed properly.

    The first thing we need to do is generate the key pair. On your host computer go to "Applications">"System Tools">"Terminal" note this is your regular user terminal not a root terminal. Enter the following command at the terminal.

    Code:
    username@ubuntu:~$ ssh-keygen -t dsa
    
    Generating public/private dsa key pair.
    Enter file in which to save the key (/home/username/.ssh/id_dsa):
     
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again:
     
    Your identification has been saved in /home/username/.ssh/id_dsa.
    Your public key has been saved in /home/username/.ssh/id_dsa.pub.
    The key fingerprint is:
    5b:ab:73:32:9e:b8:8c:4b:29:dc:2a:2b:8c:2f:4e:45 username@ubuntu
    As you see above I chose the default location for the keys which is in the .ssh/ directory in your home directory. At the "Enter passphrase" prompt enter a strong password. This password is needed to use the key so this adds some security in case your private key ever gets stolen. Your private key needs to be protected.

    This will generate a DSA key pair. If you notice I say pair it generates a private key id_dsa and your public key id_dsa.pub which we will copy to the server.

    Next we need to copy the public key to the server.

    Code:
    username@ubuntu:~$ cd .ssh/
    This moves you into .ssh directory where the keys were saved. Now to copy the public key to the server.

    Code:
    username@ubuntu:~$ scp id_dsa.pub serverusername@192.168.1.40:./id_dsa.pub
    
    id_dsa.pub    100% |*****************************************************|  
     614  00:00
    The "scp" command allows files to be copied to/from a remote server using the SSH protocol to establish a secure connection and to encrypt all data passing between the client and the server.

    Now that we copied the public key to the server we have to install the key in the proper directory. To do this login to the server using ssh and your usual password. We still aren't using public key authentication yet but we are close. Once logged into the server issue the following command in the terminal. Note you don't need to be logged in as root just login with your normal user account.

    Code:
    username@server:~$ cd .ssh
    serverusername@server:~$ touch authorized_keys2
    serverusername@server:~$ chmod 600 authorized_keys2
    serverusername@server:~$ cat ../id_dsa.pub >> authorized_keys2
    serverusername@server:~$ rm ../id_dsa.pub
    Ok so here we set the file permissions to 600 which is gives only the owner read and write access. Then we added the key to the file called authorized_keys2. Note it's important to use the >> because that adds the key to the file without any line breaks. Then finally we removed the key id_dsa.pub from the server. Now if you logout and log back in you should see that you are using the key authentication as shown below.

    Code:
    username@ubuntu:~$ ssh -l serverusername 192.168.1.40
    Enter passphrase for key '/home/serverusername/.ssh/id_dsa':
    Linux everest 2.6.10-5-386 #1 Tue Apr 5 12:12:40 UTC 2005 i686 GNU/Linux
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    You have new mail.
    Last login: Mon Apr 25 19:43:43 2005 from 192.168.1.15
    serverusername@everest:~$
    There is one more step and that is to disable password authentication on the server. Once this is set the only way to login will be with private and public keys. In order to accomplish this we have to change a line in the ssh_conf file on the server. The ssh_con file is located in the following location on the server /etc/ssh/ssh_config. Once in the file look for the following line:

    Code:
    #   PasswordAuthentication yes
    
    Change to:
      
    PasswordAuthentication no
    UsePAM no
    Now that wasn't so bad was it? I am not an expert with this I just put this together from searching around on my own and figured I would put it all together in one place in case I needed to do this again and hopefully it will help someone else out.
    Last edited by Beernut; May 4th, 2005 at 05:32 AM. Reason: Fixed TYPO Added UsePAM no option
    "Beer is proof that God loves us and wants us to prosper." - Ben Franklin
    "Never argue with an idiot; they'll drag you down to their level and beat you with experience."

  2. #2
    Join Date
    Apr 2005
    Location
    New Zealand
    Beans
    9

    Re: HOWTO: SSH & Public Keys

    Quote Originally Posted by Beernut
    Next we need to copy the public key to the server.

    Code:
    username@ubuntu:~$ cd .ssh/
    This moves you into .ssh directory where the keys were saved. Now to copy the public key to the server.

    Code:
    username@ubuntu:~$ scp id_dsa.pub serverusername@192.168.1.40:./id_dsa.pub
    
    id_dsa.pub    100% |*****************************************************|  
     614  00:00
    The "scp" command allows files to be copied to/from a remote server using the SSH protocol to establish a secure connection and to encrypt all data passing between the client and the server.

    Now that we copied the public key to the server we have to install the key in the proper directory. To do this login to the server using ssh and your usual password. We still aren't using public key authentication yet but we are close. Once logged into the server issue the following command in the terminal. Note you don't need to be logged in as root just login with your normal user account.

    Code:
    username@server:~$ cd .ssh
    serverusername@server:~$ touch authorized_keys2
    serverusername@server:~$ chmod 600 authorized_keys2
    serverusername@server:~$ cat ../id_dsa.pub >> authorized_keys2
    serverusername@server:~$ rm ../id_dsa.pub
    Ok so here we set the file permissions to 600 which is gives only the owner read and write access. Then we added the key to the file called authorized_keys2. Note it's important to use the >> because that adds the key to the file without any line breaks. Then finally we removed the key id_dsa.pub from the server. Now if you logout and log back in you should see that you are using the key authentication as shown below.
    Nice howto I'm not sure if you're aware if it, but the above can essentially be replaced with the "ssh-copy-id" command. As far as I'm aware, its only a debian thing. The only real difference to the above is that it copies your key to a file called "authorized_keys" instead of "authorized_keys2", but it still works the same.

    I'm glad you said that the user must enter a password. IMO, if you don't passphrase your key, you're asking for trouble

    You might also like to add something about ssh-add as it saves you from entering your passphrase everywhere.

  3. #3
    Join Date
    Mar 2005
    Beans
    115

    Re: HOWTO: SSH & Public Keys

    Thanks for the howto! But how do I disable regular password authentication now that this is in place?
    "Windows is something to overcome"

    Howto's by me:
    Tweak firefox! (URL now works..)
    Backup/Restore your system!
    Avoid having to reboot


    Compentux.org
    , the Linux Tip & Howto gathering initiative!

  4. #4
    Join Date
    Apr 2005
    Beans
    116
    Distro
    Ubuntu 8.04 Hardy Heron

    Cool Re: HOWTO: SSH & Public Keys

    Quote Originally Posted by Heliode
    Thanks for the howto! But how do I disable regular password authentication now that this is in place?
    I forgot about this part I'll add it to the HOWTO above. You need to edit the following file on the server. /etc/ssh/ssh_config now there are a few ways to do this like below.

    Code:
    sudo vim /etc/ssh/ssh_config
    
    sudo gedit /etc/ssh/ssh_config  (Enter this one only if you are on the server.)
    If you know how to use the VI editor you edit the file from terminal on a remote host. I am not that good with VI so I won't even attempt to tell you how to do it that way.

    When you open the file all you have to do is change the following line to no.

    Code:
    #   PasswordAuthentication no
    That should do it for you.
    Last edited by Beernut; May 1st, 2005 at 02:57 PM.
    "Beer is proof that God loves us and wants us to prosper." - Ben Franklin
    "Never argue with an idiot; they'll drag you down to their level and beat you with experience."

  5. #5
    Join Date
    Apr 2005
    Beans
    116
    Distro
    Ubuntu 8.04 Hardy Heron

    Talking Re: HOWTO: SSH & Public Keys

    Quote Originally Posted by airhead
    Nice howto I'm not sure if you're aware if it, but the above can essentially be replaced with the "ssh-copy-id" command. As far as I'm aware, its only a debian thing. The only real difference to the above is that it copies your key to a file called "authorized_keys" instead of "authorized_keys2", but it still works the same.

    I'm glad you said that the user must enter a password. IMO, if you don't passphrase your key, you're asking for trouble

    You might also like to add something about ssh-add as it saves you from entering your passphrase everywhere.
    Thanks. I just found the "ssh-copy-id" command but wasn't sure if it would work the same. The file is named "authorized_key2" so that if you want to have seperate keys for Protocol 1 & Protocol 2 versions of ssh. I am going to try it on my Suse box to see if it is just a Debian thing or not.

    I hate blank passwords or passphrases. Why go through the trouble of securing you server and then leave that out?

    Thanks for the hint on ssh-add command I'll have to look into it. Does that just remember your password for the current session?
    "Beer is proof that God loves us and wants us to prosper." - Ben Franklin
    "Never argue with an idiot; they'll drag you down to their level and beat you with experience."

  6. #6
    Join Date
    Apr 2005
    Location
    New Zealand
    Beans
    9

    Re: HOWTO: SSH & Public Keys

    Quote Originally Posted by Beernut
    Thanks for the hint on ssh-add command I'll have to look into it. Does that just remember your password for the current session?
    Thats correct.

    When turning off password auth, I found that my debian testing version of sshd already had "PasswordAuthentication no". To really turn it off, you need to set "UsePAM no" (as sshd uses pam instead of doing the authentication itself).

  7. #7
    Join Date
    Mar 2005
    Beans
    115

    Re: HOWTO: SSH & Public Keys

    Hey, i'm probably doing something wrong here,but i've set password authentication to 'no' on my (Gentoo) server in the /etc/ssh/ssh_config file, but I can still logg in with my regular password if I just hit enter when it asks me for the passphrase for the key. any idea what might be causing this?
    "Windows is something to overcome"

    Howto's by me:
    Tweak firefox! (URL now works..)
    Backup/Restore your system!
    Avoid having to reboot


    Compentux.org
    , the Linux Tip & Howto gathering initiative!

  8. #8
    Join Date
    Mar 2005
    Beans
    2

    Re: HOWTO: SSH & Public Keys

    Quote Originally Posted by Beernut
    When you open the file all you have to do is change the following line to no.

    Code:
    #   PasswordAuthentication no
    That should do it for you.
    I think you should remove that comment (#) after chaning it to "no."

    EDIT: wait a sec..whay are we setting up "password authentication no" in ssh_config? Isn't it sshd_config we should be changing?
    Last edited by heon2574; May 4th, 2005 at 02:04 AM.

  9. #9
    Join Date
    Apr 2005
    Beans
    116
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: HOWTO: SSH & Public Keys

    OOPS Missed the comment that's the bad thing with copy and paste. As far as changing it in the sshd_config file I don't have one on my system. At least not in /etc/ssh/ which is where it should be according to the documentaion at OpenSSH.

    Also I don't see the anything about the "UsePAM no" option in the manual.

    Code:
    man ssh_config
    "Beer is proof that God loves us and wants us to prosper." - Ben Franklin
    "Never argue with an idiot; they'll drag you down to their level and beat you with experience."

  10. #10
    Join Date
    May 2005
    Beans
    41

    Re: HOWTO: SSH & Public Keys

    Great howto. Very easy to follow. I have only one question: You explained how to generate the keypair on two Ubuntu boxes, I'm curious. I run the SSHD at home on my ubuntu box but often connect from my workplace using Putty. How does one go about generating another keypair on windows with Putty?

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •