Public Key Authentication with SSH

From SUSE Wiki

Jump to: navigation, search

Type: Howto, App-Specific (SSH)

Tested Versions: 9.2, 9.3 (client side) and 10.0 (server side)

Written By: E@zyVG

Further Modifications By: Kamatsu pgomez

Image:File_temporary.pngThis article has not been tested to work on the latest full release version (i.e 9 or 10, not 10.0 or 10.1) of SUSE Linux.
You can help SUSE Wiki by testing this and updating the article where possible.


Image:File_important.pngThis article assumes a high level of linux knowledge. Do not touch if you don't know what you're doing.


Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections. Ssh currently runs on UNIX or related systems, plus under OS/2. Ports have been successful to all "mainstream" UNIX systems.

SSH is available on CD/DVD that you used to install your SuSE.


Contents

[edit]

Requirements

First, before starting, the following assumptions are made:

  • You have enabled sshd on the remote server.
  • You have opened the appropriate port for sshd on the remote server.
  • You have configured tcp wrappers and/or other security mechanisms on the remote server.
  • You are careful enough to know that you should not set up public key authentication for the root user.
  • You are capable of choosing between RSA or DSA keys. (In this example I have chosen RSA.)
  • Note: This is written for SuSE 9.2; other versions should be similar or identical.


[edit]

Preparing the client

1. If it does not exist, create the ~/.ssh directory for your user.


2. Generate the public / private key pair with the command 

$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa


Note: When prompted for a passphrase, just hit enter, and then enter again. See the man pages for ssh-keygen for various options, if you'd like to try something different. This will generate a private and a public (.pub) key file.

Remember - If you choose not to use a password for your private key, anyone who gets access to it automatically gets access to any server you have access to. They will not need a password, they will just need to use that key (leave your computer for 2 minutes, loose your laptop, someone gets access another way etc). Easy. If you need to have no passwords (for cron etc), make sure the user is very limited, consider using a jail, or use ssh-agent.


3. As root, edit the /etc/ssh/ssh_config file in the following ways:

  • Remove the comment (#) from the line 
IdentityFile ~/.ssh/id_rsa
  • Remove the comment (#) from the line 
Protocol 2


(and while you are at it, if there is a 1 there, remove it; there should only be a 2 unless you have some strange reason to use protocol 1)


[edit]

Preparing the server

  1. Log in to the remote server using the normal ssh password authentication.
  2. Make sure the ~/.ssh directory exists.
  3. Make sure permissions on the ~/.ssh directory are 700.
  4. Now from the client machine copy the .pub key you generated to ~/.ssh on the server. You can do this with something like (from the client machine): 
$ scp ~/.ssh/id_rsa.pub user_name_here@server_here:~/.ssh


That will prompt you for a password to complete.


5. Now ssh to the server again, and run the following command: 

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys


6. Next, as root, edit the /etc/ssh/sshd_config file in the following ways:

  • If the line 
Protocol 2

has a 1 as well, remove it unless you have some strange reason to use protocol 1. Also remove comment (#) if it is there.

  • Edit the line 
PubkeyAuthentication yes

(i.e. if it says no, change it to yes) Also remove comment (#) if it is there.

  • If you want to disable password-login, make sure the file includes a line like 
PasswordAuthentication no
  • If you want to disable password-login for root: (this is unsafe, better would be a plain "no", read Remember, but then you have a passphrase to remember) 
PermitRootLogin without-password
  • Make sure the line 
AuthorizedKeysFile      .ssh/authorized_keys

is set up correctly (i.e. if it is pointing to a different keys file, then update to what is shown here). Also remove comment (#) if it is there.

  • Check if you need to disable PAM authentication! Comments in sshd_config state: Depending on your PAM configuration, this may bypass the setting of PasswordAuthentication, PermitEmptyPasswords, and "PermitRootLogin without-password" 
ChallengeResponseAuthentication no
UsePAM no

7. As root, restart sshd: 

# rcsshd restart


That's it. Now try logging in from your client machine - you should be logged in automatically without being prompted for a password.

[Thanks to "anomie"]

E@zyVG

[edit]

Additional Security Measures

To allow only access from specific IPs or firewalls modify the files /etc/hosts.allow and /etc/hosts.deny. The SuSE sshd comes compiled with support for these files (9.3 at least).

hosts.deny: 

# Deny everyone except those in hosts.allow
sshd : ALL

hosts.allow 

# Allow from my computer only [substitute your external/firewall address]
sshd : 192.168.3.33
# Allow from a network range
sshd : 192.168.4.0/255.255.255.0
Retrieved from "http://susewiki.org/index.php?title=Public_Key_Authentication_with_SSH"
Personal tools