Since SSH (Secure Shell) scans are so common anymore I wanted to add better protection to my server so I configured SSH to only allow logins with public & private keys instead of password authentication. This is how I set it up on Ubuntu however it should work on any version of Linux. Don't be afraid of the length of this tutorial it's really pretty simple and only a few commands. This HowTo ended up longer than I anticipated because I wanted to explain each step as best I could.
This HowTo assumes that you already have SSH installed properly.
The first thing we need to do is generate the key pair. On your host computer go to "Applications">"System Tools">"Terminal" note this is your regular user terminal not a root terminal. Enter the following command at the terminal.
Code:
username@ubuntu:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
5b:ab:73:32:9e:b8:8c:4b:29:dc:2a:2b:8c:2f:4e:45 username@ubuntu
As you see above I chose the default location for the keys which is in the .ssh/ directory in your home directory. At the "Enter passphrase" prompt enter a strong password. This password is needed to use the key so this adds some security in case your private key ever gets stolen. Your private key needs to be protected.
This will generate a DSA key pair. If you notice I say pair it generates a private key id_dsa and your public key id_dsa.pub which we will copy to the server.
Next we need to copy the public key to the server.
Code:
username@ubuntu:~$ cd .ssh/
This moves you into .ssh directory where the keys were saved. Now to copy the public key to the server.
The "scp" command allows files to be copied to/from a remote server using the SSH protocol to establish a secure connection and to encrypt all data passing between the client and the server.
Now that we copied the public key to the server we have to install the key in the proper directory. To do this login to the server using ssh and your usual password. We still aren't using public key authentication yet but we are close. Once logged into the server issue the following command in the terminal. Note you don't need to be logged in as root just login with your normal user account.
Code:
username@server:~$ cd .ssh
serverusername@server:~$ touch authorized_keys2
serverusername@server:~$ chmod 600 authorized_keys2
serverusername@server:~$ cat ../id_dsa.pub >> authorized_keys2
serverusername@server:~$ rm ../id_dsa.pub
Ok so here we set the file permissions to 600 which is gives only the owner read and write access. Then we added the key to the file called authorized_keys2. Note it's important to use the >> because that adds the key to the file without any line breaks. Then finally we removed the key id_dsa.pub from the server. Now if you logout and log back in you should see that you are using the key authentication as shown below.
Code:
username@ubuntu:~$ ssh -l serverusername 192.168.1.40
Enter passphrase for key '/home/serverusername/.ssh/id_dsa':
Linux everest 2.6.10-5-386 #1 Tue Apr 5 12:12:40 UTC 2005 i686 GNU/Linux
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
You have new mail.
Last login: Mon Apr 25 19:43:43 2005 from 192.168.1.15
serverusername@everest:~$
There is one more step and that is to disable password authentication on the server. Once this is set the only way to login will be with private and public keys. In order to accomplish this we have to change a line in the ssh_conf file on the server. The ssh_con file is located in the following location on the server /etc/ssh/ssh_config. Once in the file look for the following line:
Code:
# PasswordAuthentication yes
Change to:
PasswordAuthentication no
UsePAM no
Now that wasn't so bad was it? I am not an expert with this I just put this together from searching around on my own and figured I would put it all together in one place in case I needed to do this again and hopefully it will help someone else out.
Bookmarks