User Tools

Site Tools


foss:wikishelf:ssh:authentication

Guide to SSH Authentication

Introduction

Using key-based authentication for SSH adds another layer of security to your SSH services, compare to plain password authentication which could be guessed by brute force attack.

Intended readership

This document is intended to end user who wants better security and understanding of SSH authentication.

Applicability statement

This document applies to POSIX compatible systems like Linux or UNIX running OpenSSH server and client software. This document has been validated with the following operating systems:

  • Linux: Ubuntu 8.04 to Ubuntu 14.04, CentOS 5 and 6 and Red Hat Enterprise Linux Server 5 and 6
  • UNIX: OpenSolaris 2009.06 and Mac OS X Leopard to OS X Mavericks

Other OS versions could apply, but have not been validated. No administrative rights are necessary.

Conventions

All user commands will be written in Courier New font, and will start with a '$' symbol that should not be reproduced when typing the commands. This symbol represents the SHELL prompt character. The commands will be given for a BASH syntax shell.

Concept

The principle of a public/private key pair is one key is public but paired to the private key that should never be send to someone else. One installs the public key to the destination SSH server, and upon connection the public and private key will try to be matched, if they do the connection is allowed.

Guide

Requirements

  • An OpenSSH daemon (server) up and running on the remote server and a user account on it;
  • An OpenSSH software suite (ssh, ssh-keygen, etc.) installed on the local computer.

Instructions

Key generation

To start you need to generate your private and public key, this is done by using the ssh-keygen command.

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ubuntu/.ssh/id_rsa.
Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub.

It is possible that on some UNIX variant, like Solaris or OpenSolaris, you need to specify one mandatory parameter for ssk-keygen: the key type. On most Linux, BSD and Mac OS X, the key type is by default RSA. To specify the key type, the command to enter is: ssh-keygen -t rsa.

Two files have been generated, the private key (~/.ssh/id_rsa) that you should keep secret, it is advised also to backup it ; and the public key (~/.ssh/id_rsa.pub) that you can share with the server to allow your authentication.

Deploying the public key

You can use SSH to deploy the key if password authentication is still allowed. You can use the following command line, though you will have to replace <user> by the user login you are intending to use on the remote host and <hostname> by the name (or IP address) of the remote host.

$ scp ~/.ssh/id_rsa.pub <user>@<hostname>:/home/<user>/
user@hostname's password: 
id_rsa.pub                                        100%  420    10.4KB/s   00:00

For more information on using the scp command, please refer to the scp manual page.

Now you will have to go on the remote host (you can use again SSH is password authentication is enabled) and add the public key to the list of known and authorised keys.

$ mkdir -p .ssh
$ cat id_rsa.pub >> .ssh/authorized_keys

Note: Sometimes and with older version of sshd (the SSH serveur process) the file is named authorised_key, check you sshd man page for the exact name.

Alternative deployment methods

You can also group the 2 commands into one single one (source: SUN Admin Guide):

$ cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> \
'mkdir -p .ssh; cat >> .ssh/authorized_keys && echo "Key copied"'

Or you can use the ssh-copy-id command (found in the openssh-client package on Ubuntu) which copies your default identity public key (usually named id_rsa.pub) and install it in the file ~/.ssh/authorized_keys (creating it if necessary) (source:Ask Ubuntu #4830):

$ ssh-copy-id <user>@<hostname>

If your identity key is named differently, you can still use ssh-copy-id but use -i identity_file.

Testing the connection

Enhancements

Using Seahorse key manager

Troubleshooting

Extra Commands

This section list some useful commands for better using SSH.

SSH can provide you with strong authenticity, but one needs to verify at the first connection the host fingerprint to make sure it is connecting to the right host. Or when exchanging with a third party your public keys (and doing via an untrusted medium such as the internet), you might want to exchange via a secure medium the fingerprint of your keys.

Print the fingerprint of a public key (SSH host or user key):

ssh-keygen -l -f <path-to-the-key>

Print the fingerprint of already accepted host:

ssh-keygen -l -f ~/.ssh/known_hosts -F <hostname>

Sources

foss/wikishelf/ssh/authentication.txt · Last modified: 2015/05/01 23:32 (external edit)