Download: As ODT As PDF


Configuring Key Based Authentication for SSH on

Unix based computers




Ezra S. Frick

SSH (Secure Shell) is a computer program used to remotely log in to computers to execute instructions. This allows the user to remotely do anything that the user could normally be do while sitting in front of their own computer. This includes moving and altering files, running programs, and, if the user has the authority, management of other users on the machine. For this reason it is very important to keep the connection to it secure. SSH already does some things to protect itself. Most notably, it is a tunneled connection, meaning that the data about the session is encrypted before being sent unlike telnet witch transmitted everything in plain text.


It is however possible to make it more secure. One of the easiest ways to do this is to use key based authentication. This will use locally authenticated keys to verify users thus making users credentials much harder to steal and nearly impossible to brute force.


Requirements

A Unix based computer

A server running Linux

you must have log-in credentials on this server

you must have access to root privileges on this server (I will be using sudo throughout this instruction set.)


Demo's setup

Two virtual machines

Server running Debian 8.0.3

Workstation running Ubuntu 14.04


Logging in


1) Open a terminal window and enter the command ssh user@hostname



If this is your first time logging in you will see a warning stating that the authenticity of the host you

are connecting to cannot be established. Check the address and type yes to continue.



2) You will then be prompted for a password for the remote machine. Enter yours at the prompt.




Making the key


1) Open a second terminal window and enter the command ssh-keygen.


A key pair will be generated and you will be prompted for a location to save them to. Accept the

default by pressing enter.


You will now be prompted for a password to authenticate the key. [Note: This should be a different

password than your log-in password.] You will be asked to reenter your password for verification.


The key pair will then be saved in the location specified and some randomart will generate.


Copying the public key to the remote server


1) Copy the public key to the remote server with the command spc .ssh/id_rsa.pub user@hostname:.


You will then be prompted for your password. Enter it at the prompt. This will copy id_rsa.pub into

your home folder on the remote server.


2) Switch back to the first terminal window. You will have landed in your home directory on the remote machine. Here, make a sub-directory called .ssh using the command mkdir .ssh



3) It will be necessary to change the default permissions given to this directory so that only you have

access to it. Enter the command chmod 0700 .ssh


4) Now move id_rsa.pub into .ssh using mv id_rsa.pub .ssh/authorized_keys. This will also rename the

file to authorized_keys.



5) It is now necessary to change the file permissions on the authorized_keys file. Enter the command

chmod 0600


Testing the keys


1) Log off of the server and reenter ssh user@hostname. This time you will be asked for the password

for your private key. Enter it at the prompt.


[Note: Not all systems will open a second window. Many will prompt for the password on the command line.]


If you are not logged on then review the previous steps and ensure that they have been done

correctly.


Disabling Log-in via password (optional)


[WARNING: Do Not Attempt This Step Until You Have Verified That the Keys Are Working Properly. Failure to do so May Result in You Being Lock Out of Your Server.]



1) On the remote machine, open the file /etc/ssh/sshd_config with a text editor. This file is read only so

you will need root permissions to edit it. [WARNING: This file sets the configuration for the ssh

server on the remote machine. Improper editing of this file could cause you to be locked out of

your server.]



2) At about line 52 delete the pound sign in front of PasswordAuthentication and change the yes to a

no.



3) Save your changes and exit.


4) It is now necessary to restart the ssh server to apply the new rules for authentication. Enter the

command sudo service ssh restart. [Note: Some distributions will require sshd in the previous

command.]


5) Congratulations you have now configured key based authentication for ssh.

SSH is a powerful tool for anyone managing a Unix based server. It allows for easy remote management and gives you the ability to easily manage multiple servers from a single machine. However, with great power comes the need for great security. Key based authentication is just one of many tools that can insure that this powerful tool doesn't fall into the wrong hands. Keep your servers yours and keep them doing great things.

Download: As ODT As PDF

We are hackers, that is why we have terminals with black backgrounds and green text.
Copyright 2024 efrick, webmaster. License