www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

This article is in draft. The voice is not correct. The examples are not yet made clear.

Introduction

Particularly if your system is available through ssh on the Internet key based authentication should be considered.

RSA is often used over DSA because it has a the stronger key length of 2048 and 4096. DSA can only be 1024.

It is unlikely you will run into issues if the versions of OpenSSH are different from client and server. However, just in case, you might want to determine the version of Open SSH installed,

ssh -V #Determine SSH client version
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009

sshd -v #Determine SSH Server version (ignore the error message)
sshd: illegal option -- v
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file]
            [-g login_grace_time] [-h host_key_file] [-k key_gen_time]
            [-o option] [-p port] [-u len]

Generate Public and Private Keys on Client Machine

Usually this is done on the client machine. With a Unix based system this can be accomplished with the command line as follows. Windows does not have a native way of doing this, but most ssh client programs will provide a gui means of key generation.

It actually does not matter what kind of system the keys are generate on. The keys from one type of system can easily be moved to another.

Unix Based System

ssh-keygen without parameters generates 2048 RSA public and private keys.

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/tinpham/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/tinpham/.ssh/id_rsa.
Your public key has been saved in /Users/tinpham/.ssh/id_rsa.pub.
The key fingerprint is:
c7:6c:3e:87:4a:09:90:ef:6d:a9:88:f8:f0:89:d2:13 tinpham@Tin-Phams-iMac.local
The key's randomart image is:
+--[ RSA 2048]----+
|        . oo.    |
|         s ..  . |
|          ...++ .|
|       T . +.=...|
|        F o + *. |
|         + o + . |
|          C .    |
|         . +     |
|                 |
+-----------------+

On a Unix system file permissions should automatically be set to protect your key files from other accounts.

Windows

Instructions for Windows to be put here.

If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.

Place Public Key on Server

Ubuntu Shortcut

If you happen to using a Linux client there is a shortcut to getting everything up and running on the server,

ssh-copy-id username@remotehost

It accomplishes in one command,

To provide details here.

Copy Over Key

Since I happen to be using Mac OS X I do this manually,

scp .ssh/id_rsa.pub bhitch@krypton.com:~

Setup .ssh Directory

Log into the server using your existing authentication method,

First check in your home folder that you have a .ssh directory and an authorized_keys. If you had used your account to access another server through ssh the files may have been created for you. Otherwise, perform the following steps,

mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Add the ublic key added to the authorized_keys file,

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

Disable Password Authentication

Adjust the following,

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Remove the comment and change to no

sudo /etc/init.d/ssh reload
 * Reloading OpenBSD Secure Shell server's configuration sshd
   ...done.

Now go to another machine and try to authenticate using ssh,

ssh tpham@lemonbistro.com
Permission denied (publickey).

The Permission denied indicates that password authentication is now disabled.

Key Compromise

...

Strategies

...

Resources

http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.

http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa - talks about key length.

https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html - Ubuntu version of docs.

http://www.howtoforge.com/ssh_key_based_logins_putty - instructions on using Putty, found the Auto-login tip useful.

  • No labels