Public/private key authentication with SSH

SSH is a protocol that enables secure logins to your computer over a network. SSH supports the use of public/private key pairs for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

On the Local Machine

Use the command ssh-keygen -t dsa to generate a key pair for the local user. Use an appropriate passphrase to secure your private key (don’t be tempted to use an empty passphrase).
Set the permissions for the private key file with the following command:

user@ubuntu:~$ chmod 600 ~/.ssh/id_dsa

On the Remote Machine

Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install ssh

Copy the public key file ~/.ssh/id_dsa.pub from the local to the remote machine.

On the remote machine, move and rename the file with the following command:

user@ubuntu:~$ mv id_dsa.pub .ssh/authorized_keys2

Set the permissions for the file with the following command:

user@ubuntu:~$ chmod 600 ~/.ssh/authorized_keys2

Add the user user to the group ssh:

user@ubuntu:~$ sudo adduser user ssh

Get the file sshd_config and move it to /etc/ssh/:

user@ubuntu:~# sudo wget "http://edafe.org/wp-content/uploads/2006/09/sshd_config"
user@ubuntu:~# sudo mv sshd_config /etc/ssh/

The downloaded file contains the following changes from the Ubuntu default configuration:

LogLevel VERBOSE
AllowGroups ssh
LoginGraceTime 20
PermitRootLogin no
MaxAuthTries 1
RSAAuthentication no
PasswordAuthentication no
X11 Forwarding no
TCPKeepAlive yes
ClientAliveInterval 15
ClientAliveCountMax 3
MaxStartups 3
UsePAM no

Setting these options makes root logins impossible. Only users belonging to the group ssh may establish a connection. Access to the remote machine is strictly tied to the private key and the passphrase used to encrypt it.

Next, restart the SSH server on the remote machine with the following command:

user@ubuntu:~$ sudo /etc/init.d/ssh restart

You should now be able to log into the remote machine using the private key stored on the local machine:

user@ubuntu:~$ ssh remote.machine
Enter passphrase for key '/home/user/.ssh/id_dsa':

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is useful as a reference text and has information on other clever stuff you can do with SSH.
www.ibm.com/developerworks/linux/

This entry was written by edafe, posted on 25/09/2006, filed under computing and tagged , , , , , , , , , , , .