Public Key Authentication

Nowadays SSH scans are a fact of life and as a responsible user of linux we must continually improve the protection that we provide to our services to ensure that we don't become another statistic. Fortunately enough SSH comes with the ability to login using public and private keys instead of password authentication. Whilst passwords can be guessed or cracked it is far less likely that a key can be cracked. Hopefully this howto will be provide you a step-by-step method to improving your SSH security, its important to note that I am assuming that you already have SSH installed and running.

Creating the Key Pair

First of all we need to generate our key pair, you do this on the machine that you plan on connecting from.

GNU/Linux Systems

Open up a terminal and type the following command:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
34:1f:94:0f:8f:28:0b:f8:17:ed:ce:cb:36:55:99:83 user@host

The default location is the ".ssh" folder inside your home directory, this is where we want the files to be so accept that. At the point where it asks for a passphrase, enter a strong password. This password is very important, it protects the private key. If someone steals your private key it will be unusable without your passphrase.

Once this is complete you will have a RSA key pair. You have the private key (id_rsa) and the public key (id_rsa.pub) both stored in the .ssh folder under your home directory. The public key is the key that we copy over to the machine that you wish to connect to.

Windows Systems (Putty)

You will need to have installed putty via the installer as this gives us the program that we require to run to generate our keys.

Start up PuTTYgen.
Select SSH2 RSA from Parameters (at the bottom).
Click on Generate.
Wiggle the mouse around ion the blank space.
Alter the comment to be "user@host".
Add a passphrase (and retype it).
Save the public and private keys.
Start up Pageant.
Right-click on icon in the system tray, selecting Load key.
Type in your passphrase.

Now your Windows system is prepared to send the key to the server. Store your private key somewhere safe.

Sending the Public Key

With either the Windows machine or the Linux machine send the public key you have created over to machine that you will be connecting to. Make sure when you do this you use "scp" like this:

$ cd .ssh/
$ scp id_rsa.pub USER@SERVER:./id_rsa.pub

Replacing USER and SERVER with the details of the username and hostname of the server you are connecting to. Windows machine should use WinSCP or another similar utility. Using scp to copy over to the other machine ensure that the data is encrypted, this protects the possiblity of someone intercepting your public key during transfer.

Setting up the Server

Ok so we now have everything we need prepared on the machine that we will connect from and we have also sent the data required to the server. The next step is to prepare the server for using public key authentication.

Using a public key created by 'ssh-keygen'

Login to the server as you would usually and then execute these commands:

$ cd .ssh
$ touch authorized_keys
$ chmod 600 authorized_keys
$ cat ../id_rsa.pub >> authorized_keys
$ rm ../id_rsa.pub

This has placed the public key into the 'authorized_keys' file, this is a file that SSH checks for when a user connects and any key in it is available for testing with public key authentication.

Using a public key created by 'PuTTYgen'

Unfortunately the layout of the key that PuTTYgen creates differs from the layout that SSH (on Linux) excepts, this means that we need to edit the public key to make it usuable under Linux. Fortunately enough its not too hard.

Open the public key that you created, it will look something like this:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "user@host"
AAAAB3NzaC1kc3MAAACBANmj5ago5F/QP50X2nxD9FkSIDFoSVv1KavQNjlONStv
PuJvF1AQLcDYjGrtFnK8Wn7sEzz1VZcOYTDq6pxy0xDyoQLjYTWVpVM3vVLETfJc
XVNejswt6SGshEW4R1Ys9xKaTPwRejEHe8FLqEkapTCj56dp47J5JOHs4b8SkAPl
AAAAFQD89oWHllh2NDH0lIiEwqts0RArzwAAAIBAflemdNoJwPn6ayVyYNM2bO0p
szzguxKstAvEyojWuIo4srYqUj8c6x6QqLxIvjwi94J8BEDvo7+rmG2PLSwM5Ovm
jyfHUpPD+c6iPLvioGfwQB+B0M/E1frkwteophR9P1Jf1seRDemKL3pY37jdYpq7
NCsJhiMy/NGntcgoagAAAIEAmyxLKQpBDQ8nUT1Fv+YhdBgCWIDQixgwcGZJjJ3d
AiHyDlJ5jXp6ba4ccS5FW2F068yoLY3uQNh1Jt+aUrFyZoc33rrrk34czLK4FKNp
M9V2+KTI8EL/1JeM3/jjl9IhZTLRzSaQinKA5SAXhYnXxfFPlhPislY968Kzag0J
Dag=
---- END SSH2 PUBLIC KEY ----

You should edit the file to make it look like this:

ssh-rsa AAAAB3NzaC1kc3MAAACBANmj5ago5F/QP50X2nxD9FkSIDFoSVv1KavQ
NjlONStvPuJvF1AQLcDYjGrtFnK8Wn7sEzz1VZcOYTDq6pxy0xDyoQLjYTWVpVM3
vVLETfJcXVNejswt6SGshEW4R1Ys9xKaTPwRejEHe8FLqEkapTCj56dp47J5JOHs
4b8SkAPlAAAAFQD89oWHllh2NDH0lIiEwqts0RArzwAAAIBAflemdNoJwPn6ayVy
YNM2bO0pszzguxKstAvEyojWuIo4srYqUj8c6x6QqLxIvjwi94J8BEDvo7+rmG2P
LSwM5OvmjyfHUpPD+c6iPLvioGfwQB+B0M/E1frkwteophR9P1Jf1seRDemKL3pY
37jdYpq7NCsJhiMy/NGntcgoagAAAIEAmyxLKQpBDQ8nUT1Fv+YhdBgCWIDQixgw
cGZJjJ3dAiHyDlJ5jXp6ba4ccS5FW2F068yoLY3uQNh1Jt+aUrFyZoc33rrrk34c
zLK4FKNpM9V2+KTI8EL/1JeM3/jjl9IhZTLRzSaQinKA5SAXhYnXxfFPlhPislY9
68Kzag0JDag= user@host

Notice that this is all on one line, the comment is now at the end and the addition of the words "ssh-rsa" to the beginning.

Logging in with Public Keys

Now you can try logging in again, this time you will experience a slightly different look:

$ ssh -l USER SERVER
Enter passphrase for key '/home/USER/.ssh/id_rsa':
Linux SERVER 2.6.12.3 #1 Sun Jul 31 23:08:02 UTC 2005 i686 GNU/Linux
You have new mail.
Last login: Sun Jul 31 22:12:32 2005 from HOST
$

Using Putty is a matter of loading the private key into Pageant and then connecting as normal.

Disallowing Password Logins

Now that we have secured the server using public key authentication we no longer need, nor want, password authentication. Simply open up your sshd_config file (/etc/ssh/sshd_config) and edit this line:

# PasswordAuthentication yes

Change to:

PasswordAuthentication no
UsePAM no

Thats it, your SSH server will now only accept public keys and will simply refuse all password attempts (even the right password won't get you in :)).

Final Ideas

Tired of typing in the passphrase all the time? Linux has that covered too:

$ eval `ssh-agent -s`
Agent pid 12719
$ ssh-add /home/user/.ssh/id_rsa
Enter passphrase for /home/user/.ssh/id_rsa
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

Now it will last as long as ssh-add is running, you can lock and unlock the agent, you can also set a life time for how long it should store the key in its memory, cool!