Creating and using ssh keys
This guide will give an explanation as what ssh keys are and how they can be used on a day to day basis to make a server more secure and logins even faster. Ssh keys very much like the normal lock and key that are found all over. There are two parts to an ssh key, there is the private key and then the public key. The private key is just that, private. If any person is allowed to view or copy that file it becomes possible for them to login to any server that has the public key installed. The public key is just as the name says, public and can be posted anywhere. SSH key authentication works in a two step process. When I connect from a computer with a private key installed the ssh client will offer the private key to the remote server. The remote server then checks the authorized_host2 file which contains a list of all of the public keys that are allowed to authenticate with the server. If there is a match the server will allow the user to login without a plaintext password, the key takes over that function. This process is often faster then putting in a password and saves the trouble of having to write passwords down. A word to the wise, make sure you keep the private key safe!
The first step is to generate a keypair, we will use DSA since it is more secure then RSA. If you would like to set a passphrase do so below, if not just hit return. A passphrase is nice because it forces the user to still know the key password when connecting. The problem with this is if you intend on having something automated login using ssh keys, like rsync or scp, the key needs to be generated without a passphrase.
—–command—–
ssh-keygen -t dsa
—–command—–
This is going to create a id_dsa file and id_dsa.pub. I would highly recommend keeping a backup copy of both of these if you plan on deploying this across multiple servers. The most important thing is that you store the id_dsa in a very secure place, if a user is able to get ahold of it he will be able to login to any server with the
public key installed. Now cat the pub file and save the output, it is going to be used shorly on the other server.
—–command—–
cat ~/.ssh/id_dsa.pub
—–command—–
Now ssh into the server as the user that you want to connect to and do the following (note do not worry if you get a file exists error):
—–command—–
mkdir ~/.ssh/
touch ~/.ssh/authorized_keys2
pico -w ~/.ssh/authorized_keys2
—–command—–
Now paste the contents of the id_dsa.pub file from above and save out of the file. Ssh keys should now be working! Try to login and see if it works, if it does not try to do ssh -v user@host, the -v will turn on verbose mode which can help a lot in troubleshooting.
**********************************************
**********************************************
Some of the more advanced things you can do with ssh keys:
Enable direct root login only if a user has a private key:
Enable direct root login ONLY is logging in with ssh keys. This is a very valuable option because it will prevent somebody trying to bruteforce root from gaining access to the system while allowing you to get direct access to root. In an idea enviroment you would set key only authentication and only allow a sudo user to login but I know in the real world that is not practical for many people. To allow a root to login with ssh keys only edit the sshd_config
—–command—–
pico /etc/ssh/sshd_config
—–command—–
Scroll down a little until you see “PermitRootLogin yes”, go ahead and comment it out with a #. Make a new line right below and paste “PermitRootLogin without-password”. Now save with control + w and restart ssh.
—–command—–
service sshd restart
—–command—–
You can now login to ssh with root only using the ssh keys!
**********************************************
**********************************************
If you would like to use ssh keys on putty download puttygen.exe from http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe and run the program. At the bottom make sure to select DSA then “generate”. Once it is done generating there will be a text box with the public key that you paste into the authorized_keys2 as before.
**********************************************
**********************************************
There are a lot more things you can do with ssh like moving backups automatically or running commands on a remote server from another but that is more then I am going to go into for now. There is a lot of information on google about ssh keys if you need any more information or ideas on how to use them further!