8/20/07

More secure your ssh server with public/private keys

To add more secure on ssh server it's good idea to make our server allow only user who has a key to login. Today I found this trick from ubuntuforums.

Gen the keys: First, on client box, we generate keys pair and copy the public key file to server box.

[poj@client ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/poj/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/poj/.ssh/id_dsa.
Your public key has been saved in /home/poj/.ssh/id_dsa.pub.
The key fingerprint is:
38:58:74:7b:4c:5a:11:d7:70:de:c0:41:c2:93:c4:b9 poj@client
[poj@client ~]$ ls .ssh
id_dsa id_dsa.pub known_hosts
[poj@client ~]$ scp .ssh/id_dsa.pub poj@192.168.1.122:./id_dsa.pub
poj@192.168.1.122's password:
id_dsa.pub 100% 598 0.6KB/s 00:00
[poj@client ~]$
During key gen., we will be asked for place to save the key. Just enter for default, then for passpharse, we enter a strong password. This will generate keys pair file [id_dsa and id_dsa.pub] in $HOME/.ssh .

Install the key: In your $HOME, on server box, cat our publickey file to $HOME/.ssh/authorized_keys
[poj@client ~]$ ssh -l poj 192.168.1.122
poj@192.168.1.122's password:
Last login: Mon Aug 20 16:49:38 2007 from 192.168.1.73
[poj@server ~]$ cat id_dsa.pub >> .ssh/authorized_keys
[poj@server ~]$


Config the server: Next on server box go to edit /etc/ssh/sshd_config by change or add this two lines then restart ssh service.
PasswordAuthentication no
UsePAM no


Now, try to ssh again
[poj@client ~]$ ssh -l poj 192.168.1.122
Enter passphrase for key '/home/poj/.ssh/id_dsa':
Last login: Mon Aug 20 17:54:11 2007 from 192.168.1.69
[poj@server ~]$
Notice that this time it ask for passphrase not password
for other client box, ssh request will be denied.
[poj@client2 ~]$ ssh -l poj 192.168.1.122
Permission denied (publickey,gssapi-with-mic).
[poj@client2 ~]$

0 comments: