How to configure OpenSSH to use a public private key pair
Home > Search > How-to
  by

In this example, there are 2 machines, a Linux client and a Linux OpenSSH server. We will configure both machines so that anyone can make an SSH connection to the OpenSSH server as JohnDoe without having to provide JohnDoe's password. There are some security concerns with this type of setup, as anyone will be able to connect to the OpenSSH server as John Doe using the public certificate, so it is important that security is considered when implementing this type of configuration.

 

OpenSSH server

On the Linux OpenSSH server, create the hidden .ssh directory

~]# mkdir /home/JohnDoe/.ssh

 

Create the authorized_keys file. The authorized_keys file will contain one or more public certificates.

~]# touch /home/JohnDoe/.ssh/authorized_keys

 

Ensure the /home/JohnDoe/.ssh directory and /home/JohnDoe/.ssh/authorized_keys file are owned by JohnDoe, and have least privilege permissions.

~]# chmod 700 /home/JohnDoe/.ssh
~]# chmod 600 /home/JohnDoe/.ssh/authorized_keys
~]# chown JohnDoe /home/JohnDoe/.ssh
~]# chown JohnDoe /home/JohnDoe/.ssh/authorized_keys

 

If the SELinux context of the /home/JohnDoe/.ssh directory and /home/JohnDoe/.ssh/authorized_keys file is not system_u:object_r:ssh_home_t:s0, restore the context.

~]# ls -Z /home/JohnDoe/.ssh
-rw-------. root root system_u:object_r:ssh_home_t:s0 authorized_keys

~]# restorecon -FRvv /home/JohnDoe/.ssh

 

By default, there will be a few public certificates and private keys in the /etc/ssh directory. Of course, you can use your own public certificates and private keys. For simplicity, we will use the ssh_host_rsa_key certificate and key. Use the paste command to append the public certificate to the authorized keys file.

~]# paste -s -d '\n' /etc/ssh/ssh_host_rsa_key.pub >> /home/JohnDoe/.ssh/authorized_keys

 

Configure your /etc/ssh/sshd_config file to have the following settings.

PermitRootLogin        without-password
PubkeyAuthentication   yes
AuthorizedKeysFile     .ssh/authorized_keys
GSSAPIAuthentication   no

 

Restart SSHD.

~]# systemctl restart sshd

 

Client

Create the hidden .ssh directory on the client.

~]# mkdir /var/shared/.ssh

 

Copy the private key from the OpenSSH server into the hidden .ssh directory on the client. Replace "OpenSSH" with the actual hostname or IP address of the OpenSSH server.

~]# scp JohnDoe@OpenSSH:/etc/ssh/ssh_host_rsa_key /var/shared/.ssh

 

Ensure the hidden .ssh directory and private key are owned by root and have proper permissions.

~]# chown root:root /var/shared
~]# chown root:root /var/shared/ssh_host_rsa_key
~]# chmod 700 /var/shared
~]# chmod 600 /var/shared/ssh_host_rsa_key

 

Now the OpenSSH server has a way to authenticate the client. When the client requests the connection using the private key, the OpenSSH server has the corresponding public key.

 

Make the SSH connection without a password

If connecting using the ssh command, use the -i option followed by the path to the private key.

~]# ssh -i /var/shared/ssh_host_rsa_key JohnDoe@OpenSSH

 

If using PuTTY, add the private key to PuTTY.

  1. Launch PuTTY.
  2. In the left panel, expand +SSH and highlight auth
  3. Enter the path to the private key.

 

Disable password and GSSAPI authentication

By default, both PuTTY and the OpenSSH server are configured to use password and GSSAPI authentication. To reduce the attack surface, password and GSSAPI authentication can be disabled, since a public private key pair are being used.

  1. In PuTTY, expand Connection > SSH > Auth and select GSSAPI.
  2. Remove the tick from Attempt GSSAPI authentication (SSH-2 only)

 

In the /etc/ssh/sshd_config file on the OpenSSH server, make the following configuration:

GSSAPIAuthentication no
PasswordAutehentication no

 

Log files

For absolute assurance that only a public private key pair are being used for authentication, and that password and GSSAPI authentication have been disabled, view the PuTTY log file.

  1. In PuTTY, select Logging, and select the following:
    • SSH packets and raw data
    • Type the path to the file that will contain the log data
    • Remove the tick from Omit known password fields

 

Connect to the OpenSSH server, and then open the log file. In the log, the first outgoing packet from the client to the server is ....root....ssh-connection....none, and the incoming packet from the server to the client is ....publickey.....

  • publickey means that the server is configured to allow the use of a public key for authentication requests.
  • none means that no public key was provided in the request.

Because no public key was provided, the SSH server failed to authenticate the request. This is normal, and not suggestive of some problem. By default, PuTTY makes the first authentication attempt with no public key. Notice publickey and ssh-rsa in the last attempt.

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments

FreeKB   |   2018   |   support@freekb.net