Tuesday, January 8, 2013

SSH Key-Pair Authentication

Introduction

In the past I've limited SSH access to my Ubuntu virtual server by using static IP addresses. This works, but I've recently implemented a better method for ensuring SSH security for my virtual server. It uses the private/public key authentication method.

This is actually the method used pretty much everywhere else because it doesn't require hard-coded static IP addresses.

This is based mostly on the HowtoForge article about Key-Based SSH Logins with PuTTY.

Generating Keys

First things first, I need to generate a private/public key pair. This can be done either on the SSH server or the client. The HowtoForge article discusses key generation on the client using PuTTY, so I'll discuss a little about keygen on the server.

Ubuntu Server SSH Key Generation

The easiest way to generate an SSH key-pair is to use the ssh-keygen command.

ssh-keygen

I just used the default path, which generates the private key to ~/.ssh/id_rsa, and the public key is generated to id_rsa.pub

I added a passphrase to my private key which acts similar to a password.

The public key needs to be added to the authorized_keys.

cat rsa_id.pub >> authorized_keys

It's important to ensure that only the user can read/write access to this file. To check the permissions:

ls -l ~/.ssh/

To change the permissions:

cd ~/.ssh
chmod 600 ~/.ssh/authorized_keys

We're now done with the public key file, so we can remove it.

rm ~/.ssh/rsa_id.pub

The private key should be transmitted to the client. If this is being done across the internet, it's important to use some sort of encrypted file transfer such as SCP. However, I'm just using my Virtual Box host network so I'm not too worried about someone intercepting my private key. I placed the private key into %HOME%\.ssh\. For me, this ends up at C:\Users\helloworld922\.ssh\.

Enabling key pair authentication

The next step is to modify the sshd configs (/etc/ssh/sshd_config).

# enable key pair authentication
PubkeyAuthentication yes
# It's a good idea to disable password authentication once you've check to make sure that key-pair authentication is working
PasswordAuthentication no
UsePAM no

To restart the ssh server:

sudo service ssh restart

Putty Setup

Putty has it's own key private key format, so first things first we need to import the key using the PuTTYGen tool.

Figure 1: Importing a private key for use with Putty.

After it's imported, just re-save the private key in Putty's format. Feel free to add a comment and a passphrase.

Putty Settings

Start up putty and go to the Connection > SSH > Auth section. Find the location of the private key you want to use.

Figure 2: Importing a private key for use with Putty.

You can also use the Pageant software for managing private keys, though I won't do this now.

And that's it! We can now login to PuTTY without using a password. Instead, we have a passphrase and key-pair.

No comments :

Post a Comment