SSH Key Generation

From Spry Wiki

Jump to: navigation, search

Tired of entering passwords all the time for various Linux/Unix servers? One of the best ways I have found to automate logins is using ssh keys, and surprisingly it's not very hard.

On Windows I use a Putty or Poderosa (both free). Poderosa is nice because it is tabbed and allows you to split windows, but Putty is by far the most common free SSH Client so I will be using Putty for this tutorial.

If you haven't installed Putty you can download and install the appropriate version for your OS at http://www.putty.nl/ (or you can download my favorite version which Putty Portable from http://portableapps.com/apps/internet/putty_portable (Putty Portable uses .xml files instead of the registry so it's great for USB drives!)). You will also need PuTTYgen to generate the keys we will use. You may just wish to download the full zip or full exe install as there are a couple of other good applications included (PAGEANT, PSFTP, PUTTYGEN, etc..)

After you have Putty installed you will need to create a key. This can be done on your server or using 'ssh-keygen -r rsa -b 1024' or something similar but we will use PUTTYGEN.exe.

On most installations of OpenSSH an SSH-2 RSA key will work (if not you will need to consult your documentation to find the appropriate key type or update your version.) I set the bits to 1024. Click Generate and you will be prompted to move your mouse to generate randomness.

The Key you see at the top is your public key. That key is safe to upload to the server in which you wish to connect to. You can choose to password protect your private key by entering a passphrase or you can leave it blank if you wish. You will want to make sure no one can access to your private key or they could impersonate you and gain access to your system. You will then want to save your private key and probably your public key or else you can copy and paste it to your server, I save it for convenience.

Now we need to upload the key to your server. In the users home directory there should be a directory '.ssh' (you have to use 'ls -hal' to view directories that begin with a period.) If the directory does not exist you can create it using the command 'mkdir .ssh'. If this directory already exists you may see a few files like 'id_rsa' or 'known_hosts'.

-bash-3.00$ ls -hl
total 0
-rw-r--r--  1 test test 0 Aug  9 12:10 authorized_keys
-rw-------  1 test test 0 Aug  9 12:10 id_rsa
-rw-r--r--  1 test test 0 Aug  9 12:10 id_rsa.pub
-rw-r--r--  1 test test 0 Aug  9 12:10 known_hosts

The authorized_keys file contains the public keys used to connect as this user, id_rsa is your private key, id_psa.pub is your public key, and known_hosts contains the publice keys from systems that you have previously connected from. Edit or create authorized_keys by typing 'vi authorized_keys'. If there are aleady keys in here go to the end of the key and open a new line (press the letter 'o'). Now paste the public key your created using PUTTYGEN.exe. Save and exit vi.

We now want to make sure the server is set to allow key based authentication. Edit /etc/ssh/sshd_config (vi /etc/ssh/sshd_config). If these lines are commented out (they will have a '#' in front if them if they are) remove the '#'

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile      .ssh/authorized_keys

So they look like;

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Save and exit vi. Now restart sshd. Depending on your flavor of Linux you can use the commands; 'service sshd restart' or '/etc/init.d/sshd restart' or whatever method you would normally use to restart services on your system.

The next step is to add the key to your PuTTY configuration. Open up PuTTY and load your save session or create a new one.

From the left menu expand the 'SSH' menu and select 'Auth'. Click on the 'Browse' button and open the private key you saved. You can now save this session if you don't want to have to load the key every time.

If you successfully completed all the steps you should then be able to connect to the server you loaded the key to and receive a login prompt. Now when you supply the user name you should not be prompted for a password (unless you have passwords required in sshd_config).

There are many configuration options with ssh and PuTTY that are beyond the scope of this tutorial. You can enable a combination of passphrase on your key, password, strict key verification, etc. Find a configuration that best suits your needs. If you really want to locked down ssh you can disable root via ssh, change the port from 22 to something higher and more random (helps prevent brute force attacks), require a key and a password. Hackers have an amazing amount of time on their hands living in their mom's basement and all but at least you can make it harder for them. ;)

Recent Changes | RSS Feed RSS