Ssh Configure Public/Private Key Authentication: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 9: Line 9:
This is the procedure to generate a [[Public_Key_Security#Key_Pair|public/private key pair]]. Run the following command on the machine you will be logging '''from''' and as the Unix user you will be using to connect:
This is the procedure to generate a [[Public_Key_Security#Key_Pair|public/private key pair]]. Run the following command on the machine you will be logging '''from''' and as the Unix user you will be using to connect:


  ssh-keygen -q -b 2048 -f ~/.ssh/id_rsa -t rsa
  ssh-keygen -q -b 2048 -P "" -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase):
 
Enter same passphrase again:
The above command uses an empty (no) passphrase.


The key is written in [[Public_Key_Security#PEM|PEM]] format.
The key is written in [[Public_Key_Security#PEM|PEM]] format.

Revision as of 20:13, 17 July 2019

Internal

Procedure

Create the OpenSSH Private/Public Key Pair

This is the procedure to generate a public/private key pair. Run the following command on the machine you will be logging from and as the Unix user you will be using to connect:

ssh-keygen -q -b 2048 -P "" -f ~/.ssh/id_rsa -t rsa

The above command uses an empty (no) passphrase.

The key is written in PEM format.

If you want password-less log in, use an empty string as passphrase.

The keys can also be generated with OpenSSL, the results are equivalent.

For more general considerations on private keys, see:

Private Keys

Permissions

Make sure ~/.ssh/id_rsa has the following permissions -rw-------.

Install the Public Key on All Machines to Log in Into

On all machines you will be logging in into, place the content of the previously generated id_rsa.pub into ~/.ssh/authorized_keys and make sure ~/.ssh/authorized_keys has the following permissions -rw-------.

Alternatively, the distribution can be done with ssh-copy-id:

ssh-copy-id

File Permission Concerns

Make sure ~/.ssh/id_rsa is -rw-------.

Nake sure ~/.ssh/authorized_keys is -rw-------.

If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.

Configuring the Server to Allow Public Key Authentication

/etc/ssh/sshd_config must contain the following:

...
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys
...

Note that I've seen server configured to use /etc/keys/%u/authorized_keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.

Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:

...
AllowUsers admin jmp em
...

Auxiliary Procedures

Convert a OpenSSL PEM Public Key for Use with OpenSSH

This command can be used to convert OpenSSL public keys generated with openssl commands to a format compatible with OpenSSH.

ssh-keygen -i -m PKCS8 -f ./id_rsa_openssl.pem > id_rsa.pub