Introduction
...
RSA appears to be higher security for the following reason,
- Stronger key length as high as 2048 versus DSA which must be 1024
Determine version of Open SSH installed,
Tin-Phams-iMac:~ tinpham$ ssh -V OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 Tin-Phams-iMac:~ tinpham$ sshd -v sshd: illegal option -- v OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] Tin-Phams-iMac:~ tinpham$
Generate Public and Private Keys on Client Machine
Usually this is done on the client machine however, most windows systems do not have open ssh.
ssh-keygen without parameters generates a 2048 RSA key,
Tin-Phams-iMac:~ tinpham$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/tinpham/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/tinpham/.ssh/id_rsa. Your public key has been saved in /Users/tinpham/.ssh/id_rsa.pub. The key fingerprint is: c7:6c:3e:87:4a:09:90:ef:6d:a9:88:f8:f0:89:d2:13 tinpham@Tin-Phams-iMac.local The key's randomart image is: +--[ RSA 2048]----+ | . oo. | | s .. . | | ...++ .| | T . +.=...| | F o + *. | | + o + . | | C . | | . + | | | +-----------------+ Tin-Phams-iMac:~ tinpham$
On a Unix system file permissions should automatically be set to protect your key files from other accounts. If you are on a Windows machine, make sure to store your private key on a protected location. Usually this would be your Windows desktop or home directory.
Place Public Key on Server
Ubuntu Shortcut
If you happen to using a Linux client there is a shortcut to getting everything up and running on the server,
ssh-copy-id username@remotehost
It accomplishes in one command,
...
Copy Over Key
Since I happen to be using Mac OS X I do this manually,
scp .ssh/id_rsa.pub bhitch@krypton.com:~
Setup .ssh Directory
Log into the server using your existing authentication method,
First check in your home folder that you have a .ssh directory and an authorized_keys. If you had used your account to access another server through ssh the files may have been created for you. Otherwise, perform the following steps,
mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
The key no pun intended part of this procedure is to have your public key added to the authorized_keys file,
cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
Disable Password Authentication
Adjust the following,
# Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes
Remove the comment and change to no
sudo /etc/init.d/ssh reload * Reloading OpenBSD Secure Shell server's configuration sshd ...done.
Now go to another machine and try to authenticate using ssh,
ssh tpham@lemonbistro.com Permission denied (publickey).
The Permission denied indicates that password authentication is now disabled.
Resources
http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.
http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa - talks about key length.
https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html - Ubuntu version of docs.h