SSH with authentication key instead of password

Posted by neofpo on Thu 7 Jun 2007 at 09:42

SSH is a must use tool for system administrators. However, residing access security on a human entered password is not very wise. Script kiddies may break into your system due to a lazy user with a weak password. And it is beyond the system administrator power to make users choose good passwords.

The good news is that there is a way to leave remote access open and have not to worry about passwords. The method consists on authentication via asymmetric cryptography. The user’s private key is the one that grants the authentication. You can even lock user’s account to disallow completely password authentication.

Another advantage of this method, is that one does not need different passwords to log on different servers. One can authenticate via the personal private key on all servers, needing not to remember several passwords.

It is also possible to make logins with no password asked with this method.


How to do it


Generate the authentication key

On the client machine, the user must generate a public / private keys pair that will identify himself on the servers. One can choose to protect it with password or not.

Letting it with no password, means that anyone with access to the key files (eg. root on the client’s machine) will have the same level of access of the user and no password will be asked when the client tries to connect to the servers.

Protecting the keys with password means that every time the user tries to connect to a server using those keys , the password for decrypting it will be asked. This is surely more secure, since anyone who can read the key files, will only see an encrypted version.

To generate the key pair do:

fabio@morpheus:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fabio/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/fabio/.ssh/id_rsa.
Your public key has been saved in /home/fabio/.ssh/id_rsa.pub.
The key fingerprint is:
44:3e:ef:58:94:15:52:c2:88:ca:ab:21:43:53:3d:42 fabio@morpheus
fabio@morpheus:~$

Just let the default file (~/.ssh/id_rsa). Enter the password at choice, as explained before. If you need to change the password or add one, do:

fabio@morpheus:~$ ssh-keygen -p
Enter file in which the key is (/home/fabio/.ssh/id_rsa):
Key has comment '/home/fabio/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
fabio@morpheus:~$

In this case, a new password was added. Note that this operation does not change the public / private key pair. It only changes its encryption.


Install the public key on the servers

Once the public key is installed on the server, access will be granted with no password question. SSH usually comes with an utility called ssh-copy-id that simply adds the contents of client’s ~/.ssh/id_rsa.pub to the server’s ~/.ssh/authorized_keys:

fabio@morpheus:~$ ssh-copy-id -i .ssh/id_rsa.pub ornellas@apanela.com
15
ornellas@apanela.com's password:
Now try logging into the machine, with "ssh 'ornellas@apanela.com'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

fabio@morpheus:~$

Note that at this point password access is needed. This procedure can be done by any other way you wish. For example, the server’s administrator himself can add the public key to allow a user access, instead of giving him a password.


Access

At this point, user’s account on the server can be locked for password authentication. On Linux systems, one can make:

root@apanela.com:~# passwd -l ornellas

to lock ornellas account. Key authentication will still be possible.

Now, try to access the server:

fabio@morpheus:~$ ssh ornellas@apanela.com
Enter passphrase for key '/home/fabio/.ssh/id_rsa':
ornellas@pound:~$

On this case, the client’s key was encrypted and its password was asked. If it had no password, nothing would have been asked, and access would be direct:

fabio@morpheus:~$ ssh ornellas@apanela.com
ornellas@pound:~$

Conclusion

This method enhances security a lot and also helps to manage access to many servers without many passwords. There are other cryptography algorithms and options to use other than the default RSA. Please reffer to ssh-keygen(1) to more information.

The latest version of this article can be found at:


This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

This article is copyright 2007 neofpo - please ask for permission to republish or translate.