Setup key based authentication in openssh on linux
SSH provides terminal access to control a remote web server over a secure encrypted connection. It is similar to telnet except that the entire communication is encrypted so its more secure. To connect to a webserver using ssh there are 2 things needed. First is a ssh server running on the server and another is an ssh client. Openssh is a popular ssh server used on linux based webservers. Check out my previous post on how to install ssh server on ubuntu.
SSH by default uses username/password based authentication. While connecting to the ssh server the user is asked to enter a password.
$ ssh [email protected]_web_server [email protected]_web_server's password:
However this is not the only way to authenticate to an ssh server. Authentication can also be done using keys. The key exists as a file on the local system and when connecting to the ssh server the key is send automatically and no password is asked for.
The key actually has 2 parts which exist as a pair. The first is the public key and second is the private key. The combination is unique. No 2 pairs can have the same public or private keys. The key pair is first generated on local machine using a command like ssh-keygen. Then the public key is stored on the server in a list of «authorized users».
Now whenever we connect to server using our private key the server is able to detect if a corresponding public key exists in the list of authorized users or not. If yes then authentication is complete. Read about public key cryptography if you want to know more about how it works.
Generate keys
Assuming that you already have openssh installed and setup and that you are able to login using keys, its time to move on to setup key based authentication. The first thing to do is to generate our key pair. On ubuntu we can use the ssh-keygen command
# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/john/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/john/.ssh/id_rsa. Your public key has been saved in /home/john/.ssh/id_rsa.pub. The key fingerprint is: 86:0c:a6:8d:c1:35:91:ab:b2:09:b8:b0:55:2f:58:2c [email protected] The key's randomart image is: +--[ RSA 2048]----+ | +o | | . . | | o.o. | | E*=o . | |. o*..o S | |= + . .. | |oB . | |= | | | +-----------------+
There are mainly 2 types of keys, RSA and DSA. Each has a different algorithm to generate and match the keys. Read up the wikipedia articles to learn about them. In this example we use RSA.
Note that on ubuntu the keys are by default created in the .ssh directory inside the home directory. You can specify any directory. The key pair consists of 2 files, first is id_rsa (this is the private key) and the other is id_rsa.pub (this is the public key).
Install the public key on server
Now 1 part of the pair, that is the public key needs to be given to the server so that it can identify us when we present the private key. This is done by copying the contents of the public key files in the following file on the remote server
The public key may as well be copied into the authorized_keys2 file. It works the same way.
To copy the public key into the file, the easiest way is to use the ssh-copy-id command which will take the public key and copy it to the remote server in the path mentioned above.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]_web_server The authenticity of host 'remote_web_server (69.101.52.13)' can't be established. RSA key fingerprint is 26:50:b5:51:3d:06:a8:10:52:f8:8a:60:23:a7:31:a8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'remote_web_server' (RSA) to the list of known hosts. remoteus[email protected]_web_server's password: stdin: is not a tty Now try logging into the machine, with "ssh '[email protected]_web_server'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. $
Now try to login to the remote server again from your local terminal.
It should login without asking for a password. Note that if you create the keys in a location different from ~/.ssh then you need to specify the path to the private key file using the «-i» option.
If you do not have the ssh-copy-id command then copy the public key file manually.
First copy the id_rsa.pub key file onto the server using scp command.
The file would get copied to the home directory. Now login to the server through ssh password. Then copy the contents of the id_rsa.pub file to .ssh/authorized_keys file.
$ cd .ssh $ touch authorized_keys $ chmod 600 authorized_keys $ cat ../id_dsa.pub >> authorized_keys $ rm ../id_dsa.pub
Thats all. Now the public key is installed on the server. Trying logging in from the terminal.
$ ssh [email protected] Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-32-generic x86_64) * Documentation: https://help.ubuntu.com/ 0 packages can be updated. 0 updates are security updates. New release '13.04' available. Run 'do-release-upgrade' to upgrade to it. Last login: Fri May 31 09:27:59 2013 from localhost
Disable password based login
Now that key based authentication is setup, you might want to disable password based logins. This can be done by configuring the ssh server (daemon). The openssh server configuration file is
Open the file and look for the «PasswordAuthentication» setting and set it to no.
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
Save and restart the openssh server. Now the ssh server will only allow key based authentication
$ sudo service ssh restart [sudo] password for enlightened: ssh stop/waiting ssh start/running, process 10890
Also ensure that the following 2 options are set to yes for the the key based login to work
RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys
Login with putty
In the above exmaples we used the openssh ssh client that is available on linux. Putty is another useful ssh client that is available for both linux and windows and supports key based authentication.
However putty cannot use the private key generated by the ssh-keygen command directly. It uses its own format. So first the private key (on your local machine) has to be converted to putty format. This is done using the puttygen command. It converts the key file from openssh format to putty format.
$ puttygen ~/.ssh/id_rsa -o ~/.ssh/putty_id_rsa
The above command will convert the private key to putty format which can be used with putty to connect to the server. Launch putty and go to Connection > SSH > Auth tab on the left and select the key file in the box labelled «Private key for authentication».
A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected] .
One Comment
How to configure key-based authentication for SSH
Use this advice when you want to avoid manually entering passwords in automated processes by using key-based authentication.
Remote connections to a server via Secure Shell (SSH) can be authenticated in two ways. The traditional and default method is to use password authentication. The second approach is key-based authentication, which is based on a private-public key pair.
Training & certification
Key-based authentication provides two primary benefits:
- Helps mitigate brute-force password attacks against SSH
- Prevents administrators from being required to manually type passwords in automated processes such as scripts or Ansible
Passwordless key-based authentication is often the assumed configuration on modern Linux systems.
The key pair
For key-based authentication, a matched pair of cryptographic key files is generated. The pair consists of a private key and a public key that uniquely identify the user. The private key usually has a permission of 600 and is kept on the local server. The public key is copied to the remote system where the user intends to log in. This public key is stored in the ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 file of the authenticating user. For example, if you log into a remote server with the user sadmin , the public key is added to the /home/sadmin/.ssh/authorized_keys file.
Create the key pair
The ssh-keygen command generates the private and public key pair. By default, the command saves these keys to the user’s ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. The id_rsa is the private key, and id_rsa.pub is the public key. The OpenSSH suite also contains an ssh-copy-id command, which you can use to distribute the public keys to other systems.
To generate the keys, enter the following command:
Note: Press Enter for all questions because this is an interactive command.
By default, all files are stored in the /home/sysadmin/.ssh/ directory. You can enter a new file name when running the ssh-keygen command. The command also offers the option to add a passphrase to unlock the key file.
Share the public key
To share the public key with other systems the sadmin user will access, use:
[server]$ sudo ssh-copy-id remoteuser@remoteserverEnter the user’s password. The public key is shared with the remote server, and the user can log in without a password. There is also the ssh-agent command, which you can use to store private keys used for public key authentication. This is normally useful when a passphrase protects keys.
To add a private key stored in /home/sadmin/sshkeys/id_rsa to ssh-agent , use these commands:
[server]$ sudo eval $(ssh-agent) [server]$ sudo ssh-add