Binary Nature where the analog and digital bits of nature connect

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 29 March 2010

SSH using Public-Key Authentication

Posted on 16:27 by Unknown
Lately, I've been implementing a solution to make SSH connections more secure and manageable (i.e., getting away from password authentication). A couple of benefits public-key authentication has over the default password authentication is:
  • You only have to remember the passphrase of your private key rather than possibly dozens of username/password combinations for remote hosts.
  • A password sent across the network, even protected by an SSH secure channel, can be captured when it arrives on the remote host if that host has been compromised.

#Generate the Key Pair
RSA authentication will need a passphrase to encrypt the private key. It is highly recommended to create a strong passphrase for the private key. A strong passphrase is at least 10 - 15 characters long and not a grammatical sentence. The following command creates a 2048-bit RSA key pair and prompts you for a passphrase:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/marc/.ssh/id_rsa):
Created directory '/home/marc/.ssh'.
Enter passphrase (empty for no passphrase): Thi$isy0urP@ssphra$e
Enter the same passphrase again: Thi$isy0urP@ssphra$e
Your identification has been saved in ~/.ssh/id_rsa.
You public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
39:c0:50:dd:a7:0a:8f:bb:6e:6a:e0:83:98:34:88:a5 marc@test.internal

#Identify and Copy the Authorized Keys
Now that you have a public-key file, you can simply place that key in a remote account on any machine running the SSH server (usually named sshd). Once you've set up the account properly, your private key will allow easy access to it.

To allow access to an account, simply create the file ~/.ssh/authorized_keys. The file contains one key per line. Here is one example that will copy the public key to the remote host account:
$ cat ~/.ssh/id_rsa.pub | ssh marc@remotehost 'cat >> ~/.ssh/authorized_keys'

Verify (or set) the permissions, on the remote host account, for the .ssh folder and the authorized_keys file:
$ chmod 0700 ~/.ssh
$ chmod 0600 ~/.ssh/authorized_keys

#SSHD Configuration
By default, the account password also allows access to the account. You can disable this feature in the OpenSSH sshd by modifying /etc/ssh/sshd_config (or the equivalent on your system) and adding (or modifying) this line:
PasswordAuthentication no

You also want to verify the PubkeyAuthentication property of the /etc/ssh/sshd_config file is enabled.
PubkeyAuthentication yes
Read More
Posted in Security, SSH | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Cisco ASA SSL VPN with Active Directory
    There is little doubt the bring-your-own-device (BYOD) strategy is becoming a popular method to access company resources. As technical prof...
  • Integrate VMware Fusion with GNS3 on your Mac
    At long last, we can finally integrate VMware Fusion with GNS3. VMware Workstation for Windows and Linux has had this capability for quite s...
  • Get Exchange Server Version and Update Info with PowerShell
    I prefer not to "reinvent the wheel", so I spent quite a bit of time searching the web for available code that would perform the t...
  • PowerShell Function for Windows System Memory Statistics
    Memory is one of the four primary hardware resources an operating system manages. The other three are cpu, disk, and network. Analysis of sy...
  • Enable sudo for RHEL and CentOS
    Sudo is an arguably safer alternative to logging in (or using the su command) to the root account. Sudo allows you to partition and delegat...
  • Install Request Tracker 4 on Ubuntu Server
    The CentOS6/RT4 blog post has generated terrific feedback, so I figure an Ubuntu (and Debian) distribution port is essential. The core com...
  • Compile and install Wireshark on Fedora and Ubuntu Linux
    Wireshark is the world’s most popular network analyzer. Almost every computer professional comes to a point when a network protocol analyzer...
  • Install Request Tracker 4
    The argument could be made Request Tracker is the de facto standard when it comes to issue tracking systems. Maybe the only drawback of RT ...
  • SSL VPN configuration on Cisco ASA with AnyConnect VPN client
    This post will describe how to setup a Cisco Adaptive Security Appliance (ASA) device to perform remote access SSL VPN with the stand-alone ...
  • Find Active Directory Administrator Users in DSRM
    My previous post detailed the steps of how to recover from a "lost" password for the default built-in Active Directory Administra...

Categories

  • AD
  • Apache
  • AWS
  • Cisco
  • Exchange
  • FFmpeg
  • GNS3
  • Linux
  • Mac
  • MariaDB
  • MySQL
  • PowerShell
  • RT
  • Security
  • SSH
  • VMware
  • Windows
  • Zenoss

Blog Archive

  • ►  2013 (8)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ►  2012 (3)
    • ►  December (1)
    • ►  November (1)
    • ►  April (1)
  • ►  2011 (3)
    • ►  June (1)
    • ►  May (2)
  • ▼  2010 (8)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (1)
    • ►  April (1)
    • ▼  March (1)
      • SSH using Public-Key Authentication
    • ►  February (1)
    • ►  January (1)
  • ►  2009 (3)
    • ►  December (1)
    • ►  November (1)
    • ►  October (1)
Powered by Blogger.

About Me

Unknown
View my complete profile