ABHIONLINUX
Site useful for linux administration and web hosting

2010/06/08

2010/06/05

OpenSSH Public Key Authentication

Public-key authentication is based on the use of digital signatures. Each user creates a pair of 'key' files. One of these key files is the user's public key, and the other is the user's private key. The server knows the user's public key, and only the user has the private key.

When the user tries to authenticate herself, the server checks for matching public keys and sends a challenge to the user end. The user is authenticated by signing the challenge using her private key.
 Remember that your private key file is used to authenticate you. Never expose your private keys. If anyone else can access your private key file, they can attempt to login to the remote host computer as you, and claim to be you. Therefore it is extremely important that you keep your private key file in a secure place and make sure that no one else has access to it.


Public-key authentication is  is based on the use of digital signatures. Each users have to create a pair of keys. ie public key and private key. Private key is owned by user and the public key is given to the server. When the user tries to authenticate, server check for the matching public key and sends a challenge to the user. Private key is used to authenticate the user, so never provide your private keys to others. If anyone got your private key, they can login to the server as you.  So keep your private key file in a secure place and make sure that no one else has access to it.
Secure Shell (SSH) public key authentication is used for clients to acess servers without using passwords.

Steps to configure public key.
OpenSSH is the SSH software installed on the client system. The ssh -V  will show the openssh details in the server.

$ ssh -V
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

If ssh is running on a non standard port, you need to put the custom port. You can provide the custom port as follows.

$ ssh -p 1111  server.test.com
or
$ ssh -oPort=1111 server.test.com

RSA key pair will be generated in the client system.Public key will be provided to the server that is to be connnected, while the private key should remain in the secured area in the  client system.By default it will be in ~/.ssh/id_rsa
New keys can be generated using the command  ssh-keygen

client$ mkdir ~/.ssh
client$ chmod 700 ~/.ssh
client$ ssh-keygen -t rsa
Enter passphrase
Enter same passphrase again:

File permissions should be protected to prevent other users from being able  to read the key pairs.OpenSSH may refuse to support public key authentication if the file permissions are too open.

$ chmod -R 700 ~/.ssh

Public key must be copied to any servers that will be accesses by the client.Public key information to be copied should be located in the ~/.ssh/id_rsa.pub file on the client. Public key data must be appended into ~/.ssh/authorized_keys file on the servers.

First upload  public key from client to server

Client$ scp ~/.ssh/id_rsa.pub root@server.test.com

Setup the public key in the server

server$ mkdir ~/.ssh
erver$ chmod 700 ~/.ssh
server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
server$ chmod 600 ~/.ssh/authorized_keys

We should always append new public key data to the authorized_keys file, as multiple public keys may be in use. Each public key entry must be on a different line

 "from" statement can be used before public key entries in the ~/.ssh/authorized_keys file on the servers to limit where the client system is permitted to access the server from. Without a from limit, any client will the appropriate private key data will be able to connect to the server from anywhere. Key pair should only work, if the client connecting to the server is from a host under test.com, set from="*.test.com" before the public key data.

server$ cat ~/.ssh/authorized_keys
from="*.test.com" ssh-rsa AAAAB3NzaC1

Multiple hosts or addresses can be specified as comma separated values.
from="*.test.com,,external.example.com"