On its own SSH uses a secure connection during transmit, including user credentials at login, to protect our data However, this doesn’t protect the server from brute force password attacks, which are magnified when Root is allowed remote login access (bad idea!).
To create another layer of protected, it is advised to use RSA public key pairs for the entire connection and logon process. The client computer holds the private key, while each server you want to log onto has a copy of the public key. The benefits of this are two fold. We no longer require a password to login, and the connection becomes even more secure since only the person who holds the public key can log on.
When using public key pairs for the logon process, you need to ensure the client has the required private key and the target server has a copy of the public key; otherwise, you will not be able to log in. This is probably the biggest strike against it, but the pros far out-weight the negatives.
This tutorial will cover how to configure passwordless logons in a full Linux environment. It does not cover how to generate the keys on a Windows computer.
Generating the Key
- On the client computer, open a terminal window.
- Run the ssh-keygen command.
- The default key file names are id_rsa and id_rsa.pub. If you’d like to use alternative names, for different key pairs for each server, you can specify what file names to use.
ssh-keygen -f custom-key-file-name
Place Private Key on Server
With the keys generated, we now need to place the private key on the server we’ll be remotely logging onto using SSH. There are two methods of getting the key onto the server. The first is by using another command called ssh-copy-id, which uses SSH to connect to the remote server and save the private key file into the targeted user’s home directoy. The other is saving the private key onto a portable device and copying it onto the target server.
- Open a terminal window.
- Use the ssh-copy-id command, specifying both the account and target server.
ssh-copy-id [email protected]erlab.intra
- If you didn’t use the default key file names, use the ‘i’ switch.
ssh-copy-id -i custom-key-file-name [email protected]
This method really depends on how you get the file onto the target server. The safest way is using a portable device, like a USB thumb drive, and copying it on the the server. If you decide to disable SSH password authentication, like we will do a little further down, this will be the only way to add additional private keys for other users.
- Copy the public key file from the .ssh directory of the user who generated the key pairs onto a portable device. In this example, we’re copying it to a USB device mounted under /media/usb1
cp /home/user1/.ssh/id_rsa.pub /media/usb1
- Unplug the device from the client.
- Plug the device into the target server.
- Copy the public key file to the specified user’s home directory.
cp /media/usb1 /home/user1
- Create a new directory called .ssh.
- Copy the contents of the id_rsa.pub file into a file called authorized_keys in the new .ssh directory.
cat id_rsa.pub > .ssh/authorized_keys
- Ensure the .ssh directory and the authorized_keys file have the correct SELinux context.
restorecon -R /home/user1/.ssh
- Verify the .ssh directory has the proper SELinux context.
ls -laZ /home/user1 | grep .ssh
The directory should have the ssh_home_t context.
drwx------. user1 user1 unconfined_u:object_r:ssh_home_t:s0 .ssh
- Verify the authorized_keys file has the correct SELinux context.
ls -la /home/user1/.ssh | grep authorized_keys
The file should also have the ssh_home_t context.
-rw-------. user1 user1 unconfined_u:object_r:ssh_home_t:s0 authorized_keys
- Delete the key file copied to the server.
- Change the permissions of the authorized_keys file to allow readwrite from you, but no permissions to the group and others.
chmod 600 /home/user1/.ssh/authorized_keys
- Change the .ssh directory to allow only you read,write, and execute permissions.
chmod 700 /home/user1/.ssh
Testing the Connection
From the client machine, open a terminal window. You should now be able to SSH onto the target server using the specified account and server name, all without being prompted for a password.
Disabling SSH Password Authentication
- On the target server, open the OpenSSH configuration file into a text editor, like VI or Nano.
- Locate the following lines:
- Uncomment the RSA and Public Key authentication lines, and then disable Password Authentication.
- Save your changes and exit the text editor.
- Reload the SSHD configuration file.
service sshd reload