Binary Nature where the analog and digital bits of nature connect

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 29 March 2010

SSH using Public-Key Authentication

Posted on 16:27 by Unknown
Lately, I've been implementing a solution to make SSH connections more secure and manageable (i.e., getting away from password authentication). A couple of benefits public-key authentication has over the default password authentication is:
  • You only have to remember the passphrase of your private key rather than possibly dozens of username/password combinations for remote hosts.
  • A password sent across the network, even protected by an SSH secure channel, can be captured when it arrives on the remote host if that host has been compromised.

#Generate the Key Pair
RSA authentication will need a passphrase to encrypt the private key. It is highly recommended to create a strong passphrase for the private key. A strong passphrase is at least 10 - 15 characters long and not a grammatical sentence. The following command creates a 2048-bit RSA key pair and prompts you for a passphrase:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/marc/.ssh/id_rsa):
Created directory '/home/marc/.ssh'.
Enter passphrase (empty for no passphrase): Thi$isy0urP@ssphra$e
Enter the same passphrase again: Thi$isy0urP@ssphra$e
Your identification has been saved in ~/.ssh/id_rsa.
You public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
39:c0:50:dd:a7:0a:8f:bb:6e:6a:e0:83:98:34:88:a5 marc@test.internal

#Identify and Copy the Authorized Keys
Now that you have a public-key file, you can simply place that key in a remote account on any machine running the SSH server (usually named sshd). Once you've set up the account properly, your private key will allow easy access to it.

To allow access to an account, simply create the file ~/.ssh/authorized_keys. The file contains one key per line. Here is one example that will copy the public key to the remote host account:
$ cat ~/.ssh/id_rsa.pub | ssh marc@remotehost 'cat >> ~/.ssh/authorized_keys'

Verify (or set) the permissions, on the remote host account, for the .ssh folder and the authorized_keys file:
$ chmod 0700 ~/.ssh
$ chmod 0600 ~/.ssh/authorized_keys

#SSHD Configuration
By default, the account password also allows access to the account. You can disable this feature in the OpenSSH sshd by modifying /etc/ssh/sshd_config (or the equivalent on your system) and adding (or modifying) this line:
PasswordAuthentication no

You also want to verify the PubkeyAuthentication property of the /etc/ssh/sshd_config file is enabled.
PubkeyAuthentication yes
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Security, SSH | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Cisco ASA SSL VPN with Active Directory
    There is little doubt the bring-your-own-device (BYOD) strategy is becoming a popular method to access company resources. As technical prof...
  • PowerShell Function for Windows System Memory Statistics
    Memory is one of the four primary hardware resources an operating system manages. The other three are cpu, disk, and network. Analysis of sy...
  • Integrate VMware Fusion with GNS3 on your Mac
    At long last, we can finally integrate VMware Fusion with GNS3. VMware Workstation for Windows and Linux has had this capability for quite s...
  • Configure Inter-VLAN routing on a Cisco L3 Catalyst Switch
    I recently had to configure inter-VLAN routing at a client's site. I don't have to perform this task on a regular basis, so I figur...
  • SSL VPN configuration on Cisco ASA with AnyConnect VPN client
    This post will describe how to setup a Cisco Adaptive Security Appliance (ASA) device to perform remote access SSL VPN with the stand-alone ...
  • Enable sudo for RHEL and CentOS
    Sudo is an arguably safer alternative to logging in (or using the su command) to the root account. Sudo allows you to partition and delegat...
  • Get Exchange Server Version and Update Info with PowerShell
    I prefer not to "reinvent the wheel", so I spent quite a bit of time searching the web for available code that would perform the t...
  • Cisco Security Device Manager on the Mac
    Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool that enables you to deploy and manage the services on a...
  • Install Request Tracker 4 on Ubuntu Server
    The CentOS6/RT4 blog post has generated terrific feedback, so I figure an Ubuntu (and Debian) distribution port is essential. The core com...
  • Install Request Tracker 4
    The argument could be made Request Tracker is the de facto standard when it comes to issue tracking systems. Maybe the only drawback of RT ...

Categories

  • AD
  • Apache
  • AWS
  • Cisco
  • Exchange
  • FFmpeg
  • GNS3
  • Linux
  • Mac
  • MariaDB
  • MySQL
  • PowerShell
  • RT
  • Security
  • SSH
  • VMware
  • Windows
  • Zenoss

Blog Archive

  • ►  2013 (8)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ►  2012 (3)
    • ►  December (1)
    • ►  November (1)
    • ►  April (1)
  • ►  2011 (3)
    • ►  June (1)
    • ►  May (2)
  • ▼  2010 (8)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (1)
    • ►  April (1)
    • ▼  March (1)
      • SSH using Public-Key Authentication
    • ►  February (1)
    • ►  January (1)
  • ►  2009 (3)
    • ►  December (1)
    • ►  November (1)
    • ►  October (1)
Powered by Blogger.

About Me

Unknown
View my complete profile