Configuring Key Based Authentication for SSH on
Unix based computers
Ezra S. Frick
SSH (Secure Shell) is a computer program used to remotely log in to computers to execute instructions. This allows the user to remotely do anything that the user could normally be do while sitting in front of their own computer. This includes moving and altering files, running programs, and, if the user has the authority, management of other users on the machine. For this reason it is very important to keep the connection to it secure. SSH already does some things to protect itself. Most notably, it is a tunneled connection, meaning that the data about the session is encrypted before being sent unlike telnet witch transmitted everything in plain text.
It is however possible to make it more secure. One of the easiest ways to do this is to use key based authentication. This will use locally authenticated keys to verify users thus making users credentials much harder to steal and nearly impossible to brute force.
Requirements
A Unix based computer
A server running Linux
you must have log-in credentials on this server
you must have access to root privileges on this server (I will be using sudo throughout this instruction set.)
Demo's setup
Two virtual machines
Server running Debian 8.0.3
Workstation running Ubuntu 14.04
Logging in
1) Open a terminal window and enter the command ssh user@hostname
If this is your first time logging in you will see a warning stating that the authenticity of the host you
are connecting to cannot be established. Check the address and type yes to continue.
2) You will then be prompted for a password for the remote machine. Enter yours at the prompt.
Making the key
1) Open a second terminal window and enter the command ssh-keygen.
A key pair will be generated and you will be prompted for a location to save them to. Accept the
default by pressing enter.
You will now be prompted for a password to authenticate the key. [Note: This should be a different
password than your log-in password.] You will be asked to reenter your password for verification.
The key pair will then be saved in the location specified and some randomart will generate.
Copying the public key to the remote server
1) Copy the public key to the remote server with the command spc .ssh/id_rsa.pub user@hostname:.
You will then be prompted for your password. Enter it at the prompt. This will copy id_rsa.pub into
your home folder on the remote server.
2) Switch back to the first terminal window. You will have landed in your home directory on the remote machine. Here, make a sub-directory called .ssh using the command mkdir .ssh
3) It will be necessary to change the default permissions given to this directory so that only you have
access to it. Enter the command chmod 0700 .ssh
4) Now move id_rsa.pub into .ssh using mv id_rsa.pub .ssh/authorized_keys. This will also rename the
file to authorized_keys.
5) It is now necessary to change the file permissions on the authorized_keys file. Enter the command
chmod 0600
Testing the keys
1) Log off of the server and reenter ssh user@hostname. This time you will be asked for the password
for your private key. Enter it at the prompt.
[Note: Not all systems will open a second window. Many will prompt for the password on the command line.]
If you are not logged on then review the previous steps and ensure that they have been done
correctly.
Disabling Log-in via password (optional)
[WARNING: Do Not Attempt This Step Until You Have Verified That the Keys Are Working Properly. Failure to do so May Result in You Being Lock Out of Your Server.]
1) On the remote machine, open the file /etc/ssh/sshd_config with a text editor. This file is read only so
you will need root permissions to edit it. [WARNING: This file sets the configuration for the ssh
server on the remote machine. Improper editing of this file could cause you to be locked out of
your server.]
2) At about line 52 delete the pound sign in front of PasswordAuthentication and change the yes to a
no.
3) Save your changes and exit.
4) It is now necessary to restart the ssh server to apply the new rules for authentication. Enter the
command sudo service ssh restart. [Note: Some distributions will require sshd in the previous
command.]
5) Congratulations you have now configured key based authentication for ssh.
SSH is a powerful tool for anyone
managing a Unix based server. It allows for easy remote management
and gives you the ability to easily manage multiple servers from a
single machine. However, with great power comes the need for great
security. Key based authentication is just one of many tools that can
insure that this powerful tool doesn't fall into the wrong hands.
Keep your servers yours and keep them doing great things.
We are hackers, that is why we have terminals with black backgrounds and green text.
Copyright 2024 efrick, webmaster.
License