Introduction
Particularly if your system is available through ssh on the Internet key based authentication should be considered.
We use RSA because of the stronger key length of 2048. DSA can only be 1024.
Determine version of Open SSH installed,
Tin-Phams-iMac:~ tinpham$ ssh -V OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 Tin-Phams-iMac:~ tinpham$ sshd -v sshd: illegal option -- v OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] Tin-Phams-iMac:~ tinpham$
Generate Public and Private Keys on Client Machine
Usually this is done on the client machine however, most windows systems do not have open ssh.
ssh-keygen without parameters generates a 2048 RSA key,
Tin-Phams-iMac:~ tinpham$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/tinpham/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/tinpham/.ssh/id_rsa. Your public key has been saved in /Users/tinpham/.ssh/id_rsa.pub. The key fingerprint is: c7:6c:3e:87:4a:09:90:ef:6d:a9:88:f8:f0:89:d2:13 tinpham@Tin-Phams-iMac.local The key's randomart image is: +--[ RSA 2048]----+ | . oo. | | s .. . | | ...++ .| | T . +.=...| | F o + *. | | + o + . | | C . | | . + | | | +-----------------+ Tin-Phams-iMac:~ tinpham$
On a Unix system file permissions should automatically be set to protect your key files from other accounts. If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.
Place Public Key on Server
Ubuntu Shortcut
If you happen to using a Linux client there is a shortcut to getting everything up and running on the server,
ssh-copy-id username@remotehost
It accomplishes in one command,
...
Copy Over Key
Since I happen to be using Mac OS X I do this manually,
scp .ssh/id_rsa.pub bhitch@krypton.com:~
Setup .ssh Directory
Log into the server using your existing authentication method,
First check in your home folder that you have a .ssh directory and an authorized_keys. If you had used your account to access another server through ssh the files may have been created for you. Otherwise, perform the following steps,
mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
The key no pun intended part of this procedure is to have your public key added to the authorized_keys file,
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
Disable Password Authentication
Adjust the following,
# Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes
Remove the comment and change to no
sudo /etc/init.d/ssh reload * Reloading OpenBSD Secure Shell server's configuration sshd ...done.
Now go to another machine and try to authenticate using ssh,
ssh tpham@lemonbistro.com Permission denied (publickey).
The Permission denied indicates that password authentication is now disabled.
Key Compromise
...
Strategies
...
Resources
http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.
http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa - talks about key length.
https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html - Ubuntu version of docs.h