Secure your SSH server with Public/Private key authentification

Posted on June 1, 2012 by Parveen Kaur
  • Open SSH is the most widely used SSH server on Linux. Using SSH, one can connect to a remote host and gain a shell access on it in a secure manner .
  • Instead of logging in to SSH using a traditional password, you can also authenticate yourself without a password using a technique called public key authentication.
  • A neat feature of open SSH is to authenticate a user using a public/private key pair to log into the remote host. By doing so, you won’t be prompted for the remote user’s password.
  • How does public key cryptography work? Two keys are generated on the client computer: the public key and the private key. What makes the two keys special is that a message encrypted with one can only be decrypted with the other.
  • You give your public key to the server, which stores it in a list. Your private key stays hidden. When you attempt to log in, the server encrypts a message with your public key and sends it to you. Only your matching private key can decrypt the message. Your computer proves to the server that it has successfully decrypted the message. The server then logs you in.
  •  Public key authentication for SSH has many security advantages: a password is never transmitted in any form over the network, the key needed to decrypt the server’s message is much harder to guess compared to a password because it is much longer, and the server does not need to store your private key to know you have it.
  • Firstally, install it by running following command

sudo apt-get install openssh-server

  • Now you need to generate the key pair on the client system unless you already have. You can find if you have a key pair by checking for for these two files:

~/.ssh/id_rsa (your private key)

~/.ssh/id_rsa.pub (your public key)

  •  If you don’t have them (you will be warned if you do), generate a new key pair on your local computer (run this as your normal user):

ssh-keygen

  •  You will be asked two questions. Press enter to accept the default location for the keys. Then you will be asked for a passphrase. If you choose to use a passphrase, then you will be required to enter it whenever you use the private key. If you are doing this for extra security, you will want one. If you want convenience, leave it blank.
  • By now, you should have id_rsa and id_rsa.pub in ~/.ssh directory. id_rsa is the so called private key. id_rsa.pub is the public key, the one you are going to upload on your server in order to be able to gain access to the remote machine using key authetication.
  • Now that we have our public/private key pair ready, we need to upload it to the remote machine and enable access with it.

Adding the public key to the authorized key

  • In the first place, we need to upload the key to the remote machine:

scp ~/.ssh/id_rsa.pub remoteuser@remotehost:~/

  • Now, the public key is uploaded, let’s add it to the authorized keys. To do so, we are going to connect to remotehost as remoteuser and add the key at the end of file ~/.ssh/authorized_keys and delete it once added:
  • ssh remoteuser@remotehost
    remoteuser@remotehost’s password:
    remoteuser@remotehost:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
    remoteuser@remotehost:~$ rm id_rsa.pub
    remoteuser@remotehost:~$ exit
  • Now, we need to configure the remote SSH server to accept authentication by key pair. This is usually enabled by default

ssh root@remotehost
or by connecting to the remote machine with a normal user:
ssh remoteuser@remotehost

  • Now open and edit /etc/ssh/sshd_config and make sure you have the following line:
  • RSAAuthentication yes
    PubkeyAuthentication yes
  • Reload the configuration:

sudo /etc/init.d/ssh reload

  • now you should be able to connect to remoteuser@remotehost without supplying a password (but the passphrase of you private key if you supplied any) by simply typing the following:

ssh remoteuser@remotehost

  • if your private key file is not the standard ~/.ssh/id_rsa, you can inform ssh by using the -i switch as follow:

ssh -i /path/to/private/key remoteuser@remotehost

  • Once you are sure that you can log into the remote host using your private key, we can safely disable the username/password authentication.

Disabling Authentication by password

  • In order to disable authentication by password, we need to connect as root on the remote machine. On connected, go and edit /etc/ssh/sshd_config and make sure you have the following setting:

….
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

  • Reload SSH configuration file:

/etc/init.d/ssh reload

  • Now, open a new shell and connect the remote host using your private key:

ssh remoteuser@remotehost

  • Check that you can’t connect without a key anymore:
  • $ cd ~/.ssh
    $ mv id_rsa id_rsa.bck
    $ ssh remoteuser@remotehost
    Permission denied (publickey).
    $ mv id_rsa.bck id_rsa
  • If you get rejected with Permission denied (publickey). it means it is all good and your ssh server is protected against attacks.
  • By authenticating yourself using a public/private key pair and by disabling authentication by password you will considerably reduce the chance an attacker gain access to your remote machine. It is wise to provide a passphrase when creating your key pair, this way, even if somebody get a copy of your private key, you will reduce the risk of having him gaining access to your remote machine.

Visit the link for more details: http://www.debuntu.org/ssh-key-based-authentication

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a comment