Linux SSH public key autentication to secure access

5 Jan

Using simple username/password authentication is not the securest way to login into a system as these can easily be hacked/bruteforced/rainbow-tabled/etc. Therefore the private/public key authentication mechanism should be used for e.g. SSH access. By doing so a private and public key are created by the user. The private key always remains in the hand of the user and is additionally secured by a passphrase so that the key is encrypted. The public key is then copied onto the systems the user wants to login. By doing so no username/password access is required but the user should be forced on the client side to enter the passphrase every time.

Creating the key pair

The first step is therefore to create this public/private key pair. This is done by using ssh-keygen. The following steps were done on Debian 9.

gr3yh0und@homeserver:~ $ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/gr3yh0und/.ssh/id_rsa): /home/gr3yh0und/.ssh/key_rsa
Created directory '/home/gr3yh0und/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/gr3yh0und/.ssh/key_rsa.
Your public key has been saved in /home/gr3yh0und/.ssh/key_rsa.pub.
The key fingerprint is:
SHA256:jjyFGNgUYS8dAQX6jliXNSFa49KxM/QLqDmspjz9iqU gr3yh0und@homeserver
The key's randomart image is:
+---[RSA 4096]----+
|    &*=.         |
|   & O o         |
|  * @ *          |
|.o o X +         |
|+.. = o S        |
|.+ + . +         |
|o.o.. + .        |
|+.+.   .         |
|.E..o.           |
+----[SHA256]-----+

Now the pair has been created and saved in your user directory, e.g. /home/gr3yh0und/.ssh/

gr3yh0und@homeserver:~ $ ls -l /home/gr3yh0und/.ssh/
total 8
-rw------- 1 gr3yh0und gr3yh0und 3326 Jan  5 12:33 key_rsa
-rw-r--r-- 1 gr3yh0und gr3yh0und  746 Jan  5 12:33 key_rsa.pub

Where the key_rsa file is the private key and the key_rsa.pub file is the public key.

Copy the public key

The next step is to copy the public key to the remote system. This can be done with the following command:

gr3yh0und@homeserver:~ $ ssh -i .ssh/key_rsa gr3yh0und@192.168.56.0.51

or by hand if you copy the content of the key_rsa.pub file into a new created file on the remote system, e.g. on the remote system in the home directory of the user:

gr3yh0und@homeserver:~ $ vim ~/.ssh/authorized_keys
gr3yh0und@homeserver:~ $ chmod 600 ~/.ssh/authorized_keys

and paste the public key in there. Make sure to check the file rights or run the mentioned chmod instead.

Log on using private key

Now check if everything works by supplying the private key file to the SSH client of your choice (e.g. a terminal on *nix or Putty on Windows). E.g.:

gr3yh0und@homeserver:~ $ ssh -i .ssh/key_rsa gr3yh0und@192.168.56.0.51

You should then be prompted to insert your passphrase:

Using username "gr3yh0und".
Authenticating with public key "rsa-key"
Passphrase for key "rsa-key":

And be logged in.

An additional step would be now to disable the username/password mechanism and therefore only allow private/public key authentication. This can be done by changing (or adding) the lines in /etc/ssh/sshd_config from

ChallengeResponseAuthentication yes
PasswordAuthentication yes

to

ChallengeResponseAuthentication no
PasswordAuthentication no

Warning: After this change you won’t be able to log on the remote system using SSH and the username/password scheme! So make sure, your key authentication is working first…

Facebooktwittergoogle_plusFacebooktwittergoogle_plus

Leave a Reply

Your email address will not be published. Required fields are marked *