Thursday, 2 February 2012

Unix/Linux - Setting up public key authentication [SFTP/SSH/SCP etc]

Today I had the task of setting up public key authentication onto an existing system. The primary task was to ensure that you could send a file via SFTP without a password (password authentication). Joy!

Public key authentication - What the...?
This is basically an authentication method, just like specifying a username and a password (password auth).... The only difference is that a 'key' (some long encrypted string) is generated on a client machine, and the server is made aware of this in a config file. So when the client attempts to connect, the server will check the config, realise its the client, match it against the username, and we're in! Sounds easy I guess.... The basic aim is to get in without a password, while still maintaining security....

Let's start with the client (The machine you want to connect from)

Client Configuration

Note: Firstly, use the user which you wish to allow public key authentication for. We will be storing the keys in the $HOME directory, so make sure you've switched to the correct user from the start.

1. Generate a public and private key. Run this command...
Code Snippet
  1. ssh-keygen -t dsa
End of Code Snippet


[root@someserver ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): /root/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
blah:blah:blah:blah:blah:blah:blah:blah:blah:blah root@someserver

- I am using the root user here... root will be replaced by the name of your user.
- I used the same path with was hinted by the ssh-keygen utility. The keys should be generated within your $HOME dir under the .ssh directory. I would maybe rename id_dsa to something else, as this is the default name. Just a security consideration as somebody could search for your keys using the default name.
- Leave passphrase blank for getting this up and running. It just means you would have to provide the phrase in future.

In this example....
Private Key: /root/.ssh/id_dsa
Public Key: /root/.ssh/

You public key is the one you advertise... the private key, never let out of your sight! It's as good as a password to gain entry! But you know that already right?

2. Set permissions if you haven't already... security is number 1!
Code Snippet
  1. chmod 700 ~/.ssh
  2. chmod 600 ~/.ssh/id_rsa
  3. chmod 644 ~/.ssh/
End of Code Snippet

3. Open the public key file and copy the contents. I recommand not using 'more' to copy because it puts new lines in where the console window wraps. Use something like vi text editor.

4. Keep this public key content handy because we'll need to tell the server about it!

Server Configuration

Note: I will assume you are logged in as a root user here.

1. First of all, lets enable publickey authentication! Open the sshd_config file for editing. I personally use vi. sshd_config is either in /etc/ , /etc/ssh/ or /etc/conf.d/

Mine is here: /etc/ssh/sshd_config

2. You need to enable RSAAuthentication and PubkeyAuthentication... You may need to uncomment those lines. Also, set the AuthorizedKeysFile to point to the authorized_keys file on the server. This file sits in the .ssh directory with the $HOME dir (Just like in the client config). However, we are using the root user, so it should be here: /root/.ssh or simply: ~/.ssh. Check the path is correct before you save.

Code Snippet
  1. RSAAuthentication yes
  2. PubkeyAuthentication yes
  3. AuthorizedKeysFile     ~/.ssh/authorized_keys
End of Code Snippet

3. Save changes and close sshd_config. I usually restart the sshd service just incase.
Code Snippet
  1. service sshd restart
End of Code Snippet

See this link for restarting services on various distros of Linux:

4. Now lets tell the server about our client's public key! Exciting right? Navigate to the .ssh directory (as discussed in step 2). Either open or create the file authorized_keys. This will contain various public keys for connecting clients. Edit this file and add the public key from step 3 in the client configuration. One entry per line if you already have content within there. Save the file.

5. Lets test!


1. Go back to your client and attempt to SSH onto your server.

Code Snippet
  1. ssh username@servername
End of Code Snippet

You can also force ssh to use publickey auth (you may have various types of auth enabled).

Code Snippet
  1. ssh -vvv -o PreferredAuthentications=publickey username@servername
End of Code Snippet

2. Simple SFTP test.
Code Snippet
  1. sftp username@servername
End of Code Snippet

Any problems, please comment and I can assist where necessary! Have fun I guess....

No comments: