Ssh Configure Public/Private Key Authentication: Difference between revisions
| Line 25: | Line 25: | ||
On all machines you will be logging in '''into''', place the content of the previously generated <tt>id_rsa.pub</tt> into <tt>~/.ssh/authorized_keys</tt> and make sure <tt>~/.ssh/authorized_keys</tt> has the following permissions <tt>-rw-------</tt>. | On all machines you will be logging in '''into''', place the content of the previously generated <tt>id_rsa.pub</tt> into <tt>~/.ssh/authorized_keys</tt> and make sure <tt>~/.ssh/authorized_keys</tt> has the following permissions <tt>-rw-------</tt>. | ||
Alternatively, the distribution can be done with <tt>ssh-copy-id</tt> {{Internal|ssh-copy-id|ssh-copy-id}} | Alternatively, the distribution can be done with <tt>ssh-copy-id</tt>: {{Internal|ssh-copy-id|ssh-copy-id}} | ||
==File Permission Concerns== | |||
Make sure | Make sure <tt>~/.ssh/id_rsa</tt> is <tt>-rw-------</tt>. | ||
Nake sure | Nake sure <tt>~/.ssh/authorized_keys</tt> is <tt>-rw-------</tt>. | ||
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password. | If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password. | ||
==Configuring the Server to Allow Public Key Authentication== | |||
/etc/ssh/sshd_config must contain the following: | <tt>/etc/ssh/sshd_config</tt> must contain the following: | ||
<pre> | |||
... | ... | ||
RSAAuthentication yes | RSAAuthentication yes | ||
| Line 45: | Line 45: | ||
AuthorizedKeysFile .ssh/authorized_keys | AuthorizedKeysFile .ssh/authorized_keys | ||
... | ... | ||
</pre> | |||
Note that I've seen server configured to use <tt>/etc/keys/%u/authorized_keys</tt>. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions. | |||
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive: | Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive: | ||
<pre> | |||
... | ... | ||
AllowUsers admin jmp em | AllowUsers admin jmp em | ||
... | ... | ||
</pre> | |||
Revision as of 20:01, 5 April 2017
Internal
Procedure
Create the OpenSSH Private/Public Key Pair
Run the following command on the machine you will be logging from and as the Unix user you will be using to connect:
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa Enter passphrase (empty for no passphrase): Enter same passphrase again:
If you want password-less log in, use an empty string as passphrase.
Permissions
Make sure ~/.ssh/id_rsa has the following permissions -rw-------.
Install the Public Key on All Machines to Log in Into
On all machines you will be logging in into, place the content of the previously generated id_rsa.pub into ~/.ssh/authorized_keys and make sure ~/.ssh/authorized_keys has the following permissions -rw-------.
Alternatively, the distribution can be done with ssh-copy-id:
File Permission Concerns
Make sure ~/.ssh/id_rsa is -rw-------.
Nake sure ~/.ssh/authorized_keys is -rw-------.
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.
Configuring the Server to Allow Public Key Authentication
/etc/ssh/sshd_config must contain the following:
... RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys ...
Note that I've seen server configured to use /etc/keys/%u/authorized_keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:
... AllowUsers admin jmp em ...