PDA

View Full Version : SSH Public Key Authenficiation Tutorial



egrath
8th November 2010, 05:03 PM
Public Key Authentication

When your Network has more than one Linux based system and you are the kind of guy who likes to do the administration on the command line it would be welcome if you can connect to other systems without entering the password every time.

Exactly for this, there's a solution available for SSH – it's called “Public Key Authentication” and works the following way:

1. On each Host, the desired user has a Key (which itself consists of a Private and Public Key)
2. On each other Host the Public Key from (1) is added to a list of allowed Keys
3. Whenever a user logs in to another Host using ssh the server checks to see if the users Public Key is in the list (2) and if it matches the private Key of the user.

The above may sound a little bit complicated but it's not hard to set up a environment in this way.

Step 1: Make sure SSH is running on your System

OpenSSH is installed per default on Fedora 14, but the SSH Daemon is disabled by default. To enable it, open a root-terminal and enter:


chkconfig --level 235 sshd on
service sshd start

By default the Firewall blocks incoming SSH connections (Port 22). Run “system-config-firewall” to check the “SSH” Service, then press “Apply” and “Reload”. Answer the following question with “Yes”

Step 2: Generate the SSH Keys on each Host

Now it's time to generate your Keys. Perform this step with the user you use for your daily work – in my example the user is called “er” (the two hosts used for this example are “nelson” and “blackwood”)

ssh-keygen -b 2048 -C "SSH Keys for User er@nelson" -f ~/.ssh/er_nelson -N ""
When finished you have created two new files, located in the ~/.ssh directory:

er_nelson
er_nelson.pub
The one without an extension is the private key and is not meant to be distributed across the network. Keep it secret. The other one is the public key which we will use later.

Because the “ssh” command is by default looking for other files when using Public Key authentication we want to add an alias to use our files. Put the following line in your ~/.bash_profile or ~/.bashrc (depends on wheter you are using a login shell or regular one; use ~/.bashrc when you don't know):

alias ssh="ssh -i ~/.ssh/${USER}_`hostname -s`"
One may ask why we don't use the default names and have to tamper with an alias to make things work. It's because the default files are named “identity” and “identity.pub” - but we want to know to which user our Keys belong just by looking at the filename.

This step needs to be performed at every host you want to make part of the trust relationship.

Step 3: Make the Hosts trust each other

If there's not already a terminal open, open up one. Then run the following command (read below before starting!):


ssh blackwood cat ~/.ssh/er_nelson.pub >> ~/.ssh/authorized_keys

Before running this command, replace it according to your environment – replace “blackwood” with the name of your other host and “er_nelson” with the filename you created at step (2). Repeat it for every host you include in the trust relationship.

When finished you'll ended up with a ~/.ssh/authorized_keys which contains every public key you created on your different hosts. To make the hosts trust each other, just copy this file to each other host:

scp ~/.ssh/authorized_keys blackwood:~/.ssh/
As before, replace “blackwood” with the name of your other host and repeat it for every host on your trust relationship.

Step 4: Testing it out

Now that every user has it's own Key on each host and is trusted on every other host you should be able to do ssh logins without the need of entering a password.

jpollard
8th November 2010, 05:26 PM
One problem this does introduce (just so everyone knows) is that
IF any of the hosts gets broken into, you have to assume ALL hosts
have been broken into.

Sometimes, this isn't a big problem - for instance, a user level account
using this may get compromised, but that doesn't immediately translate
into a root level breakin (as long as everything is patched... there have
been times in the recent past where a user account can be elevated into
a root account).

But where the root account (as sometimes used for backups) uses this
technique...

glennzo
8th November 2010, 05:27 PM
I've been doing this on my toys at home, all 5 of them. Pretty convenient to not have to constantly enter the password. I'm always bouncing from one computer to another via the command line. Thanks for the post.

forkbomb
8th November 2010, 05:28 PM
"Authentification" is arguably improper in English. Just sayin.
http://dag.wieers.com/blog/authentification-does-not-exist

;)

egrath
8th November 2010, 06:55 PM
"Authentification" is arguably improper in English. Just sayin.
http://dag.wieers.com/blog/authentification-does-not-exist

;)

Thanks for the hint, i fixed that!