www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Introduction

...

RSA appears to be higher security for the following reason,

  • Stronger key length as high as 2048 versus DSA which must be 1024
  •  

Determine version of Open SSH installed,

Tin-Phams-iMac:~ tinpham$ ssh -V
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
Tin-Phams-iMac:~ tinpham$ sshd -v
sshd: illegal option -- v
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file]
            [-g login_grace_time] [-h host_key_file] [-k key_gen_time]
            [-o option] [-p port] [-u len]
Tin-Phams-iMac:~ tinpham$

Generate Public and Private Keys on Client Machine

Usually this is done on the client machine however, most windows systems do not have open ssh.

ssh-keygen without parameters generates a 2048 RSA key,

Tin-Phams-iMac:~ tinpham$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/tinpham/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/tinpham/.ssh/id_rsa.
Your public key has been saved in /Users/tinpham/.ssh/id_rsa.pub.
The key fingerprint is:
c7:6c:3e:87:4a:09:90:ef:6d:a9:88:f8:f0:89:d2:13 tinpham@Tin-Phams-iMac.local
The key's randomart image is:
+--[ RSA 2048]----+
|        . oo.    |
|         s ..  . |
|          ...++ .|
|       T . +.=...|
|        F o + *. |
|         + o + . |
|          C .    |
|         . +     |
|                 |
+-----------------+
Tin-Phams-iMac:~ tinpham$

On a Unix system file permissions should automatically be set to protect your key files from other accounts. If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.

Copy Public Key to Server

If you happen to using a Linux client there is a shortcut to copying the public key to the server,

ssh-copy-id username@remotehost

Since I happen to be using Mac OS X I do this manually,

scp ...

Log into the server using your existing authentication method,

Disable Password Authentication

Adjust the following,

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Remove the comment and change to no

sudo /etc/init.d/ssh reload
 * Reloading OpenBSD Secure Shell server's configuration sshd
   ...done.

Now go to another machine and try to authenticate using ssh,

ssh tpham@lemonbistro.com
Permission denied (publickey).

The Permission denied indicates that password authentication is now disabled.

Resources

http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.

http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa - talks about key length.

https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html - Ubuntu version of docs.h

  • No labels