Friday, November 25, 2011

SSH access with keys and no password

One of the most handy things about SSH access is setting up the secure keys, allowing to bypass the password but keep a very secure access to the host. This allows a fast connection to the host, but also since you're using a security key, no one else will have access.

For a while I was having issues setting this up, I knew that you needed to create the keys but not sure how to setup ssh access further. So I setup a home server, using FreeBSD 8.2 at home and running a port forwarding from my home router. I wanted to keep this secure as possible, but also allow access from any location, so I could access my home system remotely. 

So here's the steps I used and hoping this will be helpful. 

First, if you're on a Windows system there might be some issues creating the keys. You can make keys from Putty but there is some differences, mostly you will need to rename the files and make some additional editing. In these examples I created the keys on a Ubuntu based system and accessing a FreeBSD host. Please note "user" is your account name and "hostname" is the machine name. 

Before starting, make sure you have your remote host setup if needed. Here I'm working on a home machine so I need to first edit the SSH service file located at /etc/ssh/sshd_config. I recommend using your favorite text editor, and will be listing only the important options below. 

First, make sure root SSH login is disabled, and only allowing your account to be listed. 


AllowUsers user


We are also going to disable password authentication. 

PasswordAuthentication no

Also allow RSA keys.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Save the file and restart sshd service. Now consider if you are accessing a company server the details will be different and these setup steps for the host might be already done. 

From your personal computer. 

1) Login to a host and access the terminal or console.
2) From you're home directory, run the following command.

user@hostname ~ $ ssh-keygen -t rsa

3) As seen below, you will be asked for the following details. You can take the defaults and press "enter" all the way through. If you would like added security, enter a passphrase when prompted. 

user@hostname ~ $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
[random letters and numbers] user@hostname
The key's randomart image is:
+--[ RSA 2048]----+
[random image]

4) Now check your directory and you should see the following files. The specific path is listed above as "/home/user/.ssh" directory. We are using the "a" option to view the .ssh directory since it is hidden. 

user@hostname ~ $ ls -la
drwx------  2 user  user       4096 2011-11-25 15:18 .ssh

5) So we have the directory there, now let's check for the files. We are going to change directory to .ssh and look for the files.

user@hostname ~/.ssh $ cd .ssh

6) We are looking for what files are in the directory. 

user@hostname ~/.ssh $ ls -l
total 20
drwx------  2 user user 4096 2011-11-25 15:18 .
drwxr-xr-x 57 user user 4096 2011-11-25 14:55 ..
-rw-------  1 user user 1675 2011-11-25 15:18 id_rsa
-rw-r--r--  1 user user  393 2011-11-25 15:18 id_rsa.pub
-rw-r--r--  1 user user  884 2011-11-25 15:01 known_hosts

7) We have two hosts that are important. id_rsa and id_rsa.pub, these are the two files which we created and will need to access remote hosts. 

id_rsa - This is your private key, you keep this on the computer that you are using to access other computers. This is a secure file not to be shared on remote systems but only on hosts you are using for clients. 

id_rsa.pub - This is the public key, you place this file on remote systems that you want to access remotely. 

8) Now we have the two files needed, we're going to copy the id_rsa.pub file to our remote system. This command will copy the files from your local id_rsa.pub to the remote host. 

user@hostname ~/.ssh $ cat id_rsa.pub | ssh user@192.168.1.1 'cat >> .ssh/authorized_keys'
Password:

There is a possibility this might fail. Make sure that under your home directory on the remote system you have .ssh directory and the file authorized_keys already created. If they are not there, then create them as needed. Below, run the commands from your home directory. 

user@hostname ~ $ mkdir .ssh

Now we are going to lock down the directory

user@hostname ~ $ chmod 700 .ssh

Now go inside the .ssh directory

user@hostname ~ $ cd .ssh

We are going to create a blank file to store the keys

user@hostname ~ $ touch authorized_keys

Again, we are going to lock this file down as well 

user@hostname ~ $ chmod 600 authorized_keys

Now try the command listed in step 8 again. This should work. 

9) Now try to ssh into the server again, you should not be prompted for the password and go straight to the terminal session. 

Hope this saves you time and keeps your system secure. 

Rob

No comments: