...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
ssh -v www.bonsaiframework.com OpenSSH_7.4p1, LibreSSL 2.5.0 debug1: Reading configuration data /Users/tin.pham/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to www.bonsaiframework.com [52.184.187.123] port 22. debug1: Connection established. debug1: identity file /Users/tin.pham/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/tin.pham/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to www.bonsaiframework.com:22 as 'tin.pham' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:8MQQ0Cd0AG3WEQdOhnOalK0z7XmGW6PE6s+1sa7Gb0Y debug1: Host 'www.bonsaiframework.com' is known and matches the ECDSA host key. debug1: Found key in /Users/tin.pham/.ssh/known_hosts:20 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/tin.pham/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 277 debug1: Authentication succeeded (publickey). Authenticated to www.bonsaiframework.com ([52.184.187.123]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 |
The key values to notice are the loading of the proper key files, that RSA is being used and the "offering" of the key completes successfully. You should not need to type in your account password if your keys are working.
Disable Password Authentication
...
Code Block | ||
---|---|---|
| ||
# Since this is a critical file, back it up first. sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck # Load the file in your favourite editor. sudo vi /etc/ssh/sshd_config |
Adjust We can modify sshd_config quickly using sed,
Code Block | ||
---|---|---|
| ||
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config |
Changes the following,
Code Block | ||
---|---|---|
| ||
# Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes |
Remove the comment Uncomment and change yes to no. It should look like this,
...
The Permission denied indicates that password authentication is now disabled.
Key Compromise
...
Strategies
Reusing Public Keys Across Machines
You can actually reuse public keys across machines. With this approach, you only need to keep track of one private key per user. Of course, this also means if your private key is compromised all your systems are accessible with the one key.
Key Compromise
- ... revoking keys
- ... strategies for centralizing key management and then also pitfalls
- ... is it possible to force password protected private keys
Resources
http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.
...