Warning |
---|
This article is in draft. The tone of the article does not fall in line with the rest of the site. The examples are not yet made clear. This also needs a followup article about how to use keys across multiple systems and moving keys across systems. |
Table of Contents |
---|
Introduction
If your system is available through ssh on the Internet key based authentication should must be used.
Even with preventative software such as fail2ban we have observed honeypot system being compromised within 3 days of being set up.
...
As long as the major number (the first digit) is close you should have no issues.
Installing SSH
This installs the SSH server and client,
...
Note if you find that connecting via SSH is slow you might want to disable DNS lookup.
Generate Public and Private Keys on Client Machine
In principle, the generation of the Public and Private keys are done by user themselves on their own machine. This is because even the Unix Administrator should not have the user's private key.
Info |
---|
Scratching your head on why keys should be generated by users? Think passwords. Any enterprise grade environment will ask you to define your own password. Your password is then hashed and never revealed to the Administrator. In the case where an Administrator sets your initial password, the password will be "one time" where the system will prompt you to set a new password upon successful authentication. |
With a Unix based system, this can be accomplished with the command line as follows(below). Windows does not have a native way of doing this, but most Windows ssh client programs will provide a means of key generation.
Windows Client
Warning |
---|
Here's a link to setting up the public/private key pair using puttyGen. http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/pka-putty.html |
If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.
Putty is one of the most popular Windows SSH Clients and your keys can be setup using puttyGen. However, Putty also has not been updated in years and I've found the generated keys to be problematic (for example will not work on my Mac). Instead, I recommend BitVise SSH Client Tunnelier for the key generation.
For console work, I still use Putty (actually Kitty) for normal console work, but still keep BitVise for its superior interface for file uploads and port tunnelling.
Unix Client
On Ubuntu it's super easy and your generated private key also work with Windows SSH clients.
ssh-keygen without parameters generates 2048 RSA public and private keys,
- Private key kept on the client machine = id_rsa
- Public key put on the target server machine = id_rsa.pub which will then be added into ~/.ssh/authorized_keys
Code Block | ||
---|---|---|
| ||
ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/tinpham/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/tinpham/.ssh/id_rsa. Your public key has been saved in /Users/tinpham/.ssh/id_rsa.pub. The key fingerprint is: c7:6c:3e:87:4a:09:90:ef:6d:a9:88:f8:f0:89:d2:13 tinpham@Tin-Phams-iMac.local The key's randomart image is: +--[ RSA 2048]----+ | . oo. | | s .. . | | ...++ .| | T . +.=...| | F o + *. | | + o + . | | C . | | . + | | | +-----------------+ |
On a Unix system file permissions should automatically be set to protect your key files from other accounts.
Windows Client
Warning |
---|
Instructions for Windows to be put here. |
If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.
...
Test Key Based Authentication
...
Warning |
---|
Someone can put the instructions here. |
...
http://www.freetutorialssubmit.com/convert-ssh-private-key-with-putty-keygen/1400 - sometimes you need to use different formats of keys.
Warning |
---|
Instructions for Windows to be put here. |