Ssh Configure Public/Private Key Authentication

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Procedure

Create the OpenSSH Private/Public Key Pair

Run the following command on the machine you will be logging from and as the Unix user you will be using to connect: 

ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

If you want password-less log in, use an empty string as passphrase.

Permissions

Make sure ~/.ssh/id_rsa has the following permissions -rw-------.

Install the Public Key on All Machines to Log in Into

On all machines you will be logging in into, place the content of the previously generated id_rsa.pub into ~/.ssh/authorized_keys and make sure ~/.ssh/authorized_keys has the following permissions -rw-------.

Alternatively, the distribution can be done with ssh-copy-id

ssh-copy-id

.

!!2. File Permission Concerns

Make sure Template:~/.ssh/id rsa is Template:-rw-------.

Nake sure Template:~/.ssh/authorized keys is Template:-rw-------.

If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.

!!3. Configuring the Server to Allow Public Key Authentication

/etc/ssh/sshd_config must contain the following:

{{{ ... RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys ... }}}

Note that I've seen server configured to use Template:/etc/keys/%u/authorized keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.


Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:

{{{ ... AllowUsers admin jmp em ... }}}

Retrieved from "https://kb.novaordis.com/index.php?title=Ssh_Configure_Public/Private_Key_Authentication&oldid=19539"