This article is in draft. The tone of the article does not fall in line with the rest of the site. The examples are not yet made clear.
This also needs a followup article about how to use keys across multiple systems and moving keys across systems.
Introduction
If your system is available through ssh on the Internet key based authentication should be used.
Even with preventative software such as fail2ban we have observed honeypot system being compromised within 3 days of being set up.
For the choice of keys to use, RSA is often selected over DSA because it has a the stronger key length of 2048 and 4096. DSA can only be 1024.
It is unlikely you will run into issues if the versions of OpenSSH are different from client and server. However, just in case, you might want to determine the version of Open SSH installed,
ssh -V #Determine SSH client version OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 sshd -v #Determine SSH Server version (ignore the error message) sshd: illegal option -- v OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]
Installing SSH
sudo apt-get install ssh
At this point we have installed ssh, and it is time to create the users who require SSH access to the server. Since the setup admin user is only required for server installation, it will not need ssh for further access.
Generate Public and Private Keys on Client Machine
In principle, the generation of the Public and Private keys are done by user themselves on their own machine. This is because even the Unix Administrator should not have the user's private key.
Scratching your head on why keys should be generated by users? Think passwords. Any enterprise grade environment will ask you to define your own password. Your password is then hashed and never revealed to the Administrator. In the case where an Administrator sets your initial password, the password will be "one time" where the system will prompt you to set a new password upon successful authentication.
With a Unix based system this can be accomplished with the command line as follows. Windows does not have a native way of doing this, but most Windows ssh client programs will provide a means of key generation.
Unix Based System
ssh-keygen without parameters generates 2048 RSA public and private keys.
Question from harry: do we need to create the .ssh directory before we run the ssh-keygen?
ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/tinpham/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/tinpham/.ssh/id_rsa. Your public key has been saved in /Users/tinpham/.ssh/id_rsa.pub. The key fingerprint is: c7:6c:3e:87:4a:09:90:ef:6d:a9:88:f8:f0:89:d2:13 tinpham@Tin-Phams-iMac.local The key's randomart image is: +--[ RSA 2048]----+ | . oo. | | s .. . | | ...++ .| | T . +.=...| | F o + *. | | + o + . | | C . | | . + | | | +-----------------+
On a Unix system file permissions should automatically be set to protect your key files from other accounts.
Windows
Instructions for Windows to be put here.
If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.
Place Public Key on Server
Ubuntu Shortcut
If you happen to using a Linux client there is a shortcut to getting everything up and running on the server,
ssh-copy-id username@remotehost
It accomplishes in one command,
To provide details here. Harry says i don't understand the purpose of the previous code block.
Copy Over Key
Since I happen to be using Mac OS X I do this manually,
scp .ssh/id_rsa.pub bhitch@krypton.com:~
Setup .ssh Directory
Log into the server using your existing authentication method,
First check in your home folder that you have a .ssh directory and an authorized_keys. If you had used your account to access another server through ssh the files may have been created for you. Otherwise, perform the following steps,
mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
Add the Public key added to the authorized_keys file,
cd ~/.ssh cat id_rsa.pub >> authorized_keys
Test Key Based Authetication
Roderick you can put the instructions here.
Disable Password Authentication
Modify the sshd_config file to disable password authentication,
# Since this is a critical file, back it up first. sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck # Load the file in your favourite editor. sudo vi /etc/ssh/sshd_config
Adjust the following,
# Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes
Remove the comment and change to no. It should look like this,
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
Finally restart ssh for the change to take effect,
sudo service ssh restart
In older versions of Ubuntu (to determine) where Upstart is not available use,
sudo /etc/init.d/ssh reload * Reloading OpenBSD Secure Shell server's configuration sshd ...done.
Now go to another machine other than the server and try to authenticate using ssh,
ssh tpham@lemonbistro.com Permission denied (publickey).
The Permission denied indicates that password authentication is now disabled.
Key Compromise
...
Strategies
Reusing Public Keys Across Machines
You can actually reuse public keys across machines. With this approach, you only need to keep track of one private key per user.
Resources
http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.
http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa - talks about key length.
https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html - Ubuntu version of docs.
http://www.howtoforge.com/ssh_key_based_logins_putty - instructions on using Putty, found the Auto-login tip useful.
http://stackoverflow.com/questions/2419566/best-way-to-use-multiple-ssh-private-keys-on-one-client - how to use multiple ssh keys using the config file.