November 24, 2013

Securing SSH with Public/Private Key Authentication

The motive for using public/private key authentication are:

  1. Firstly for convinience, you no longer need to enter password (unless you encrypt your keys with password protected).
  2. Secondly, ones setup, you can remove password protection, which is a big cracking hole.

Prerequisite

The remote user needs to exist on the remote server. If it does not. Create it. And at least LOGIN ONES, so that it's home directory is created. Otherwise you can eagerly created the home directory when you add the user.

Here I will use the existing user root, for simplicity.

Client Side

Generate public and private keys, with NO password protection. I will here use the RSA algorithm and key length 2048 bits.

Next make sure that the ssh key directory and private key has proper file permission

The last step is to copy the client public key to the server. You can either do that manually, or with the ssh-copy-id tool. Here I will use the tool.

If you were setting up public/private key authentication for a different user, please replace root in above command with you user.

Server Side

On the server side, open /etc/ssh/sshd_config and enable public/private key authentication

Then restart the ssh daemon service.

And finally verify that the keys directory and files have the proper file permission and SELinux type for your user.

Test

Finally you need to test, to verify the installation. On the client machine switch to the user you had setup for and

No comments: