Ssh Configure Public/Private Key Authentication: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 25: Line 25:
On all machines you will be logging in '''into''', place the content of the previously generated <tt>id_rsa.pub</tt> into  <tt>~/.ssh/authorized_keys</tt> and make sure <tt>~/.ssh/authorized_keys</tt> has the following permissions <tt>-rw-------</tt>.
On all machines you will be logging in '''into''', place the content of the previously generated <tt>id_rsa.pub</tt> into  <tt>~/.ssh/authorized_keys</tt> and make sure <tt>~/.ssh/authorized_keys</tt> has the following permissions <tt>-rw-------</tt>.


Alternatively, the distribution can be done with <tt>ssh-copy-id</tt> {{Internal|ssh-copy-id|ssh-copy-id}}.
Alternatively, the distribution can be done with <tt>ssh-copy-id</tt>: {{Internal|ssh-copy-id|ssh-copy-id}}


!!2. File Permission Concerns
==File Permission Concerns==


Make sure {{~/.ssh/id_rsa}} is {{-rw-------}}.
Make sure <tt>~/.ssh/id_rsa</tt> is <tt>-rw-------</tt>.


Nake sure {{~/.ssh/authorized_keys}} is {{-rw-------}}.
Nake sure <tt>~/.ssh/authorized_keys</tt> is <tt>-rw-------</tt>.


If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.


!!3. Configuring the Server to Allow Public Key Authentication
==Configuring the Server to Allow Public Key Authentication==


/etc/ssh/sshd_config must contain the following:
<tt>/etc/ssh/sshd_config</tt> must contain the following:


{{{
<pre>
...
...
RSAAuthentication yes
RSAAuthentication yes
Line 45: Line 45:
AuthorizedKeysFile    .ssh/authorized_keys
AuthorizedKeysFile    .ssh/authorized_keys
...
...
}}}
</pre>
 
Note that I've seen server configured to use {{/etc/keys/%u/authorized_keys}}. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.


Note that I've seen server configured to use <tt>/etc/keys/%u/authorized_keys</tt>. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.


Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:


{{{
<pre>
...
...
AllowUsers admin jmp em
AllowUsers admin jmp em
...
...
}}}
</pre>

Revision as of 20:01, 5 April 2017

Internal

Procedure

Create the OpenSSH Private/Public Key Pair

Run the following command on the machine you will be logging from and as the Unix user you will be using to connect:

ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

If you want password-less log in, use an empty string as passphrase.

Permissions

Make sure ~/.ssh/id_rsa has the following permissions -rw-------.

Install the Public Key on All Machines to Log in Into

On all machines you will be logging in into, place the content of the previously generated id_rsa.pub into ~/.ssh/authorized_keys and make sure ~/.ssh/authorized_keys has the following permissions -rw-------.

Alternatively, the distribution can be done with ssh-copy-id:

ssh-copy-id

File Permission Concerns

Make sure ~/.ssh/id_rsa is -rw-------.

Nake sure ~/.ssh/authorized_keys is -rw-------.

If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.

Configuring the Server to Allow Public Key Authentication

/etc/ssh/sshd_config must contain the following:

...
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys
...

Note that I've seen server configured to use /etc/keys/%u/authorized_keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.

Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:

...
AllowUsers admin jmp em
...