Skip to main content

More secure your ssh server with public/private keys

To add more secure on ssh server it's good idea to make our server allow only user who has a key to login. Today I found this trick from ubuntuforums.

Gen the keys: First, on client box, we generate keys pair and copy the public key file to server box. 
[poj@client ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/poj/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/poj/.ssh/id_dsa.
Your public key has been saved in /home/poj/.ssh/id_dsa.pub.
The key fingerprint is:
38:58:74:7b:4c:5a:11:d7:70:de:c0:41:c2:93:c4:b9 poj@client
[poj@client ~]$ ls .ssh
id_dsa  id_dsa.pub  known_hosts
[poj@client ~]$ scp .ssh/id_dsa.pub poj@192.168.1.122:./id_dsa.pub
poj@192.168.1.122's password: 
id_dsa.pub                                                      100%  598     0.6KB/s   00:00    
[poj@client ~]$
During key gen., we will be asked for place to save the key. Just enter for default, then for passpharse, we enter a strong password. This will generate keys pair file [id_dsa and id_dsa.pub] in $HOME/.ssh .

Install the key: In your $HOME, on server box, cat our publickey file to $HOME/.ssh/authorized_keys
[poj@client ~]$ ssh -l poj 192.168.1.122
poj@192.168.1.122's password: 
Last login: Mon Aug 20 16:49:38 2007 from 192.168.1.73
[poj@server ~]$ cat id_dsa.pub >> .ssh/authorized_keys
[poj@server ~]$


Config the server: Next on server box go to edit /etc/ssh/sshd_config by change or add this two lines then restart ssh service.
PasswordAuthentication no
UsePAM no


Now, try to ssh again 
[poj@client ~]$ ssh -l poj 192.168.1.122
Enter passphrase for key '/home/poj/.ssh/id_dsa': 
Last login: Mon Aug 20 17:54:11 2007 from 192.168.1.69
[poj@server ~]$
Notice that this time it ask for passphrase not password
for other client box, ssh request will be denied.
[poj@client2 ~]$ ssh -l poj 192.168.1.122
Permission denied (publickey,gssapi-with-mic).
[poj@client2 ~]$

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Too many open files

Last week tomcat log file report many error about "Too many open files" when it has high traffic. Some in catalina_log say 2007-04-07 16:13:40 HttpProcessor[80][272] Starting background thread 2007-04-07 16:13:40 HttpConnector[80] accept: java.net.SocketException: Too many open files and here is from localhost_log 2007-04-07 16:13:40 StandardWrapperValve[myservlet]: Servlet.service() for servlet myservlet threw exception java.io.FileNotFoundException: /home/log/mylog_070407.log (Too many open files) This is because too many file descriptors're opened by tomcat. File descriptor can be limited in both system level and shell level. To check maximum number of fd in system type 'cat /proc/sys/fs/file-max'. In my case it is 65536(someone said it should set to 200000). Tomcat error when try to open socket number 272 so I think 65536 is ok for me for now. Anyway if u want to set it add 'fs.file-max = 200000' to /etc/sysctl.conf pnix@pnix-a7:~$ cat /proc/sys/fs/fil...
15 comments
Read more

Setup MySQL with Ofbiz

Download ofbiz weekily build and extract it somewhere you want. From your ofbiz directory, edit file entityengine.xml in framework/entity/config add new datasources below localmysql datasource part <datasource name="custommysql" helper-class="org.ofbiz.entity.datasource.GenericHelperDAO" field-type-name="mysql" check-on-start="true" add-missing-on-start="true" check-pks-on-start="false" use-foreign-keys="true" join-style="ansi-no-parenthesis" alias-view-columns="false" drop-fk-use-foreign-key-keyword="true" table-type="InnoDB" character-set="latin1" collate="latin1_general_cs"> <read-data reader-name="seed"/> <read-data reader-name="seed-initial"/> ...
8 comments
Read more

Mount ISO, CUE/BIN, NRG, IMG, MDF files in ubuntu

I known that to mount iso file pnix@pnix-a7n:~$ sudo mount -o loop file.iso mountpoint or pnix@pnix-a7n:~$ sudo mount -o loop -t iso9660 file.iso mountpoint and for cue/bin file ,I convert it to iso first use bchunk pnix@pnix-a7n:~$ bchunk file.bin file.cue file.iso but how about the others. After some search, I collect tips to handle many types of image file in linux. For nrg [ nero image ], img [ clone cd] and mdf [ alcohol 120% ] files, We need nrg2iso, ccd2iso and mdf2iso to convert those image files to iso image. Luckily, All are in Feisty repos. pnix@pnix-a7n:~$ sudo aptitude install nrg2iso ccd2iso mdf2iso Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Building tag database... Done The following NEW packages will be installed: ccd2iso mdf2iso nrg2iso 0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 19.1kB of archiv...
15 comments
Read more