Ssh Configure Public/Private Key Authentication: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=Internal= * ssh =Overview= <font color=red>TODO https://home.feodorov.com:9443/wiki/Wiki.jsp?page=OpenSSHConfiguration#section-OpenSSHConfigurat...")
 
No edit summary
Line 3: Line 3:
* [[ssh#Client_Operations|ssh]]
* [[ssh#Client_Operations|ssh]]


=Overview=
=Procedure=


==Create the OpenSSH Private/Public Key Pair==


<font color=red>TODO https://home.feodorov.com:9443/wiki/Wiki.jsp?page=OpenSSHConfiguration#section-OpenSSHConfiguration-ConfiguringPrivatePublicKeyAuthentication</font>
Run the following command on the machine you will be logging '''from''' and as the Unix user you will be using to connect:
 
<pre>
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:  
</pre>
 
If you want password-less log in, use an empty string as passphrase.
 
 
Make sure {{~/.ssh/id_rsa}} is {{-rw-------}}.
 
On all machines you will be logging in __to__, place the content of the previously generated {{id_rsa.pub}} into  {{~/.ssh/authorized_keys}} and make sure {{~/.ssh/authorized_keys}} is {{-rw-------}}.
 
!Alternative Using ssh-copy-id
 
|[ssh-copy-id]
 
!!2. File Permission Concerns
 
Make sure {{~/.ssh/id_rsa}} is {{-rw-------}}.
 
Nake sure {{~/.ssh/authorized_keys}} is {{-rw-------}}.
 
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.
 
!!3. Configuring the Server to Allow Public Key Authentication
 
/etc/ssh/sshd_config must contain the following:
 
{{{
...
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    .ssh/authorized_keys
...
}}}
 
Note that I've seen server configured to use {{/etc/keys/%u/authorized_keys}}. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.
 
 
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:
 
{{{
...
AllowUsers admin jmp em
...
}}}

Revision as of 19:49, 5 April 2017

Internal

Procedure

Create the OpenSSH Private/Public Key Pair

Run the following command on the machine you will be logging from and as the Unix user you will be using to connect:

ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

If you want password-less log in, use an empty string as passphrase.


Make sure Template:~/.ssh/id rsa is Template:-rw-------.

On all machines you will be logging in __to__, place the content of the previously generated Template:Id rsa.pub into Template:~/.ssh/authorized keys and make sure Template:~/.ssh/authorized keys is Template:-rw-------.

!Alternative Using ssh-copy-id

|[ssh-copy-id]

!!2. File Permission Concerns

Make sure Template:~/.ssh/id rsa is Template:-rw-------.

Nake sure Template:~/.ssh/authorized keys is Template:-rw-------.

If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.

!!3. Configuring the Server to Allow Public Key Authentication

/etc/ssh/sshd_config must contain the following:

{{{ ... RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys ... }}}

Note that I've seen server configured to use Template:/etc/keys/%u/authorized keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.


Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:

{{{ ... AllowUsers admin jmp em ... }}}