Public Key Authentication
From Luke Jackson
Revision as of 14:04, 8 October 2006 (edit) Ljackson (Talk | contribs) ← Previous diff |
Revision as of 14:08, 8 October 2006 (edit) Ljackson (Talk | contribs) (→Configure Client (Linux)) Next diff → |
||
Line 144: | Line 144: | ||
chown root:root identity | chown root:root identity | ||
chmod 644 identity | chmod 644 identity | ||
+ | </pre> | ||
+ | |||
+ | Find the command '''ssh-agent''': | ||
+ | |||
+ | <pre> | ||
+ | [root@server.ext ~]# ssh-agent | ||
+ | Usage: ssh-agent [options] [command [args ...]] | ||
+ | Options: | ||
+ | -c Generate C-shell commands on stdout. | ||
+ | -s Generate Bourne shell commands on stdout. | ||
+ | -k Kill the current agent. | ||
+ | -d Debug mode. | ||
+ | -a socket Bind agent socket to given name. | ||
+ | -t life Default identity lifetime (seconds). | ||
</pre> | </pre> |
Revision as of 14:08, 8 October 2006
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. For more information on OpenSSH check out their website OpenSSH
Contents |
Introduction
Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
Another great feature about OpenSSH is the Public Key Authentication mechanism. With this feature enabled you are able to securely authenticate with servers with out typing in a password.
Requirements
- Linux/Unix OS
- openssh
- openssh-server
- openssh-clients
This tutorial will assume that you already have the above installed and operating correctly.
Generate Key Pair (Linux)
First I will walk you through creating a key pair on a Linux/Unix OS.
Connect to the server of which you would like to enable Public Key Authentication on. Insure you are in the home directory of the account you use to logon to the server. To confirm this your prompt should look something like this [root@server.ext ~]#.
Locate the command ssh-keygen:
Usage: ssh-keygen [options] Options: -b bits Number of bits in the key to create. -c Change comment in private and public key files. -e Convert OpenSSH to IETF SECSH key file. -f filename Filename of the key file. -g Use generic DNS resource record format. -i Convert IETF SECSH to OpenSSH key file. -l Show fingerprint of key file. -p Change passphrase of private key file. -q Quiet. -y Read private key file and print public key. -t type Specify type of key to create. -B Show bubblebabble digest of key file. -C comment Provide new comment. -N phrase Provide new passphrase. -P phrase Provide old passphrase. -r hostname Print DNS resource record. -G file Generate candidates for DH-GEX moduli -T file Screen candidates for DH-GEX moduli
In this tutorial I will use a key type of RSA you are welcome to explore the different types but for my needs RSA is more than capable.
Create your key pair by executing the following command:
ssh-keygen -f <filename> -t rsa
You will be prompted to enter a passphrase THIS IS IMPORTANT!!! If you forget your passphrase the keypair is lost forever please choose a passphrase you will not forget!
[root@server.ext ~]# ssh-keygen -f <filename> -t rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): *********** Enter same passphrase again: *********** Your identification has been saved in <filename>. Your public key has been saved in <filename>.pub. The key fingerprint is: **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:** root@server.ext
You should now have 2 files in your current directory:
- <filename> - Private Key
- <filename>.pub - Public Key
Generate Key Pair (Windows)
It is also possible to do this on a Windows compatible OS using Putty.
Configure SSHD
Open the file /etc/ssh/sshd_config and browse to the section displayed below:
# Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Ensure that the last 3 parameters are set like above and then save your changes.
Configure User
Since root is the most powerful user it will be used in this tutorial. if you wish to enable authentication for another user follow these steps and replace root with the desired username.
Return back to your home directory and check to see if you have a file named authorized_keys in sub-directory called .ssh.
If you don't no problem just create them like so:
mkdir .ssh cd .ssh touch authorized_keys
Now add the public key to the authorized_keys file. This may seem easy but it is the most common place for error. If you miss copy one character it will not authenticate you.
To prevent any errros cat the contents of your public key (<filename>.pub) to the authorized_keys file.
cat ../<filename>.pub > authorized_keys
Should you be in a situation where you have to copy and paste the key from one server to another insure that the key file looks identical to the original. This will save you many hours of troubleshooting as there is no log entry telling you the public key was copied incorrectly.
Configure Client (Linux)
Open a shell and ensure you are in your home directory.
Again if the (.ssh) directory does not exist create it using the command below:
mkdir .ssh
Copy the private key to the client using the commands below:
cd .ssh scp root@server.ext:.ssh/<filename> identity
Ensure the ownership is set to root and the permissions are 644 with the commands below:
chown root:root identity chmod 644 identity
Find the command ssh-agent:
[root@server.ext ~]# ssh-agent Usage: ssh-agent [options] [command [args ...]] Options: -c Generate C-shell commands on stdout. -s Generate Bourne shell commands on stdout. -k Kill the current agent. -d Debug mode. -a socket Bind agent socket to given name. -t life Default identity lifetime (seconds).