October 2008
M	T	W	T	F	S	S
« Aug		Nov »
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

SSH Public Key Authentication

318 views

Posted October 19, 2008 at 10:10pm in Sys Admin with tags Linux, Security, SSH

The first thing we need to do is create the public key. For this post we will use localmach for the local machine and remotemach for the remote machine.

Before beginning the following should be set on the remotemach in /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

On the local machine type the following

ssh-keygen -t rsa -b 2048

This will create a 2048bit RSA key. It will ask you where you would like to put these keys, in Linux the default is ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

We now need to copy this key to the remote server, remotemach.

ssh-copy-id user@remotemach

What this does is log into the remote machine and add the key to /home/user/.ssh/authorized_keys. I am going to skip the password part for now so we don’t lock ourselves out. If you do not have ssh-copy-id on your machine you can cat the “.pub” file and copy that to the ~/.ssh/authorized_keys on the remotemach

The next thing you want to do is run the following commands on the localmach.

exec ssh-agent /bin/bash
ssh-add

If you changed the name of the file from id_rsa you will need to specify which identity you want to add for ssh-add. With ssh-agent running and the identity added you should now be able to login without a password.

ssh user@remotemach

If you were able to login without the use of a password, you can proceed to editing the /etc/ssh/sshd_config. If you were not able to login without a password repeat the procedure and see if you are able to fix it. I did have trouble once or twice and repeating it fixed whatever was wrong.

Open /etc/ssh/sshd_config and find the PasswordAuthentication configuration directive and make sure it is set to no and uncommented.

PasswordAuthentication no

You can now run the following command to commit the changes to the current sshd process

sudo /etc/init.d/sshd reload

What does all this do?

1. Removes the ability to login to the server with a password, you can only login to the server using a public key.

2. Limit the machine that you can login from. The remotemach must have the key for the localmach in the authorized_keys file before authentication can be performed.

If you chose to enter a password when creating your key and you did not setup ssh-agent and ssh-add you will be prompted for a password to decrypt the key. Do not confuse that with a standard password based login, which you are probably used to.

You can leave a response, or trackback from your own site.

SSH Public Key Authentication

Leave a Reply