Shared Keys add an additional security level to using SSH and if you choose not to use a password you can automate logging in via SSH. It also allows you to completely negate brute force password cracking attempts if you disable password authentication.
This tutorial assumes a basic knowledge of the Linux Command Line. The tutorial is written for Centos 5.X but is applicable to other distributions, although file locations may be slightly different. The tutorial is targeted at Mac and Linux users.
What are shared keys?
Shared Keys consist of a Public and Private key and allow a remote machine to authenticate a machine trying to connect it. The Private key resides on your machine and is used to identify you against the public key which resides on the machine you are trying to login to. You might think of it as a handshake. The remote machine has a description of what to expect from the handshake. It is unique to the client machine so if the handshake doesn't match then the authentication will fail.
Why use shared keys?
Shared keys have two main benefits. Firstly they allow you to turn off password authentication. Malicious bots regularly crawl the web trying to login to servers using SSH. They have large dictionaries of passwords and try to get into your server using brute force attacks. You can limit this by having a strong password and changing the port that you use to login to SSH with. You can also completely turn off password authentication if you use shared keys. Shared keys mean that no one can access your server without the shared key.
The second benefit is that if you use scripts to backup your server to another one you do not need passwords to run the scripts. The scripts can just use the shared keys to authenticate.
How to do it?
On my Mac I'm logged in as the user myuser. On the remote machine I also login using the user myuser. On my Mac I open Terminal (you'll find this in Applications > Utilities). First I need to generate the keys on my machine. I run this command:
$ ssh-keygen -t rsa
You will be prompted for a password. If you don't want a password just hit return. This means however that anyone who gets control of your machine will be able to login to your server. This generates a public and a private key in a hidden folder
$/users/myuser/.ssh
It is possible that you won't be able to see hidden files on your Mac by default. If this is the case you can enable this across your system by running the commands.
$ defaults write com.apple.finder AppleShowAllFiles TRUE
$ killall Finder
Now on the remote machine login as your user using your normal password. In your home directory (/home/myuser in this example) create a new folder and then a file to hold your authorized keys.
$ mkdir .ssh
$ cd .ssh
$ touch authorized_keys
Now we copy the public key to the server using the scp command. This transfers the file using SSH so is secure as no one can see it. You will be asked for your regular password.
$ scp ~/.ssh/id_rsa.pub myuser@remote_server_host_address_or_ip:~/
Now SSH into your remote server in the standard way and in your home directory (/home/myuser in this example) you will see the file id_rsa.pub. We want to import this into our list of authorized keys so on the remote machine run this command.
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
This writes the contents of the key to our authorized keys list. Once you are done we want to clean things up and set permissions on the files to ensure that no one can else can use our key. On the remote machine:
$ rm id_rsa.pub
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
On the local machine: File permissions on a user's /home/user/.ssh directory must be 700, and the /home/user/.ssh/authorized_keys must be 600. Meanwhile, it is essential that all files in each .ssh directory are owned by the user in whose home directory they reside. To change ownership recursively, you can:
$ chown -R username:username /home/username/.ssh
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
If you have multiple users and need to do this for each of them, you can use this loop:
for SSHUSER in user1 user2 user3 user4 user5; do
# Add the authorized_keys file if it doesn't already exist
touch /home/$SSHUSER/.ssh/authorized_keys
# Set its permissions
chmod 600 /home/$SSHUSER/.ssh/authorized_keys
# Set directory permissions
chmod 700 /home/$SSHUSER/.ssh
# Set ownership for everything
chown -R $SSHUSER:$SSHUSER /home/$SSHUSER/.ssh
done;
You should now be set up to access your machine with your shared key. Login as normal and if all goes to plan you will be granted access with your key. You can debug logging in by adding the verbose flag to your SSH request.
$ ssh -v myuser@remote_server_host_address_or_ip
Once you are sure everything is ok you can now disable password logins for addtional security. On the remote machine you will need root access and run the following commands
$ vi /etc/ssh/sshd_config
Find the line:
$ PasswordAuthentication yes
Change this to no. Then hit escape : wq to save the file. Finally restart the sshd daemon:
$/etc/init.d/sshd restart
You will now only be able to login to your server using a shared key.
This tutorial assumes a basic knowledge of the Linux Command Line. The tutorial is written for Centos 5.X but is applicable to other distributions, although file locations may be slightly different. The tutorial is targeted at Mac and Linux users.
What are shared keys?
Shared Keys consist of a Public and Private key and allow a remote machine to authenticate a machine trying to connect it. The Private key resides on your machine and is used to identify you against the public key which resides on the machine you are trying to login to. You might think of it as a handshake. The remote machine has a description of what to expect from the handshake. It is unique to the client machine so if the handshake doesn't match then the authentication will fail.
Why use shared keys?
Shared keys have two main benefits. Firstly they allow you to turn off password authentication. Malicious bots regularly crawl the web trying to login to servers using SSH. They have large dictionaries of passwords and try to get into your server using brute force attacks. You can limit this by having a strong password and changing the port that you use to login to SSH with. You can also completely turn off password authentication if you use shared keys. Shared keys mean that no one can access your server without the shared key.
The second benefit is that if you use scripts to backup your server to another one you do not need passwords to run the scripts. The scripts can just use the shared keys to authenticate.
How to do it?
On my Mac I'm logged in as the user myuser. On the remote machine I also login using the user myuser. On my Mac I open Terminal (you'll find this in Applications > Utilities). First I need to generate the keys on my machine. I run this command:
$ ssh-keygen -t rsa
You will be prompted for a password. If you don't want a password just hit return. This means however that anyone who gets control of your machine will be able to login to your server. This generates a public and a private key in a hidden folder
$/users/myuser/.ssh
It is possible that you won't be able to see hidden files on your Mac by default. If this is the case you can enable this across your system by running the commands.
$ defaults write com.apple.finder AppleShowAllFiles TRUE
$ killall Finder
Now on the remote machine login as your user using your normal password. In your home directory (/home/myuser in this example) create a new folder and then a file to hold your authorized keys.
$ mkdir .ssh
$ cd .ssh
$ touch authorized_keys
Now we copy the public key to the server using the scp command. This transfers the file using SSH so is secure as no one can see it. You will be asked for your regular password.
$ scp ~/.ssh/id_rsa.pub myuser@remote_server_host_address_or_ip:~/
Now SSH into your remote server in the standard way and in your home directory (/home/myuser in this example) you will see the file id_rsa.pub. We want to import this into our list of authorized keys so on the remote machine run this command.
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
This writes the contents of the key to our authorized keys list. Once you are done we want to clean things up and set permissions on the files to ensure that no one can else can use our key. On the remote machine:
$ rm id_rsa.pub
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
On the local machine: File permissions on a user's /home/user/.ssh directory must be 700, and the /home/user/.ssh/authorized_keys must be 600. Meanwhile, it is essential that all files in each .ssh directory are owned by the user in whose home directory they reside. To change ownership recursively, you can:
$ chown -R username:username /home/username/.ssh
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
If you have multiple users and need to do this for each of them, you can use this loop:
for SSHUSER in user1 user2 user3 user4 user5; do
# Add the authorized_keys file if it doesn't already exist
touch /home/$SSHUSER/.ssh/authorized_keys
# Set its permissions
chmod 600 /home/$SSHUSER/.ssh/authorized_keys
# Set directory permissions
chmod 700 /home/$SSHUSER/.ssh
# Set ownership for everything
chown -R $SSHUSER:$SSHUSER /home/$SSHUSER/.ssh
done;
You should now be set up to access your machine with your shared key. Login as normal and if all goes to plan you will be granted access with your key. You can debug logging in by adding the verbose flag to your SSH request.
$ ssh -v myuser@remote_server_host_address_or_ip
Once you are sure everything is ok you can now disable password logins for addtional security. On the remote machine you will need root access and run the following commands
$ vi /etc/ssh/sshd_config
Find the line:
$ PasswordAuthentication yes
Change this to no. Then hit escape : wq to save the file. Finally restart the sshd daemon:
$/etc/init.d/sshd restart
You will now only be able to login to your server using a shared key.
No comments:
Post a Comment