FreeKB - Public key authentication with OpenSSH
Public key authentication with OpenSSH

Home > Search


Public key authentication can be used to connect to an OpenSSH server without having to provide your password.

 


Client

Enter the users hidden .ssh directory.

cd /home/JohnDoe/.ssh

 

In this example, ssh-keygen is used to create the public certificate and private key. The public certificate is named id_rsa.pub and the private key is id_rsa.

ssh-keygen -t rsa

 

Configure the .ssh directory so that only JohnDoe has read/write/execute permission, and configure the public/private key pair so that only JohnDoe has read/write permission.

chmod 700 /home/JohnDoe/.ssh
chmod 600 /home/JohnDoe/.ssh/id_rsa
chmod 600 /home/JohnDoe/.ssh/id_rsa.pub

 

The content of id_rsa.pub will be something like this (without the line breaks).

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/
rYuq4eqZAVzTYxJxnTuCTLnrr5hvVMYstcEnwFB+uXZut8UoCtOlrqA7gyy0EjdRh1qay1YXIbB
QZxpHDmAy9D3aSDoa5sVwrC1GQzNN4nH58pGnoGF+Df/A76LlZeBfmO1hP/a7hLIf8L+2o4LfKM
NBvqf37tlYDOKUA+mU+XSCmBbMk3/4UgYxuQ3HdE8w5RhFZf9Mbvb5GqubCy7N8zp6v/hRRfT0j
pWqR8kr2qauQttd9+q1n5pKCCjUO+/+jeLDdhtJ7Pls8O7motxJoNsqxKof1lJKvtt44VxYpdoY
K6w== JohnDoe@client

 


OpenSSH server

On the Linux OpenSSH server, configure your /etc/ssh/sshd_config file to have the following settings. You can chose any filename and directory for the authorized keys file.

PermitRootLogin        without-password
PubkeyAuthentication   yes
AuthorizedKeysFile     /etc/ssh/authorized_keys
GSSAPIAuthentication   no

 

Restart SSHD.

systemctl restart sshd

 


Authorized keys file

Since we specified /etc/ssh/authorized_keys at the location and name of the authorized keys file, we will need to create this file. The authorized_keys file will contain one or more public certificates.

touch /ech/ssh/authorized_keys

 

Ensure the authorized_keys file can only be read and written by the owner of the file.

chmod 600 /etc/ssh/authorized_keys

 

Give the authorized_keys file an owner (JohnDoe in this example).

chown JohnDoe /etc/ssh/authorized_keys

 

View the SELinux context of the authorized_keys file.

~]# ls -Z /etc/ssh
-rw-------. root root system_u:object_r:ssh_home_t:s0 authorized_keys

 

If the SELinux context is not system_u:object_r:ssh_home_t:s0, restore the context.

restorecon -FRvv /etc/ssh

 

Copy the content of id_rsa.pub on the "client" machine and paste the content into the authorized keys file on the OpenSSH server machine. In this example, the authorized_keys file would have the following (without the line breaks).

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/
rYuq4eqZAVzTYxJxnTuCTLnrr5hvVMYstcEnwFB+uXZut8UoCtOlrqA7gyy0EjdRh1qay1YXIbB
QZxpHDmAy9D3aSDoa5sVwrC1GQzNN4nH58pGnoGF+Df/A76LlZeBfmO1hP/a7hLIf8L+2o4LfKM
NBvqf37tlYDOKUA+mU+XSCmBbMk3/4UgYxuQ3HdE8w5RhFZf9Mbvb5GqubCy7N8zp6v/hRRfT0j
pWqR8kr2qauQttd9+q1n5pKCCjUO+/+jeLDdhtJ7Pls8O7motxJoNsqxKof1lJKvtt44VxYpdoY
K6w== JohnDoe@client

 

Now the OpenSSH server has a way to authenticate the client. When the client requests the connection using the private key, the OpenSSH server has the corresponding public certificate.

 


Make the SSH connection without a password

If connecting using the ssh command, use the -i option followed by the path to the private key.

ssh -i /home/JohnDoe/.ssh/id_rsa root@OpenSSH

 

If using PuTTY, add the private key to PuTTY.

  1. Launch PuTTY.
  2. In the left panel, expand +SSH and highlight auth
  3. Enter the path to the private key.

 


Disable password and GSSAPI authentication

By default, both PuTTY and the OpenSSH server are configured to use password and GSSAPI authentication. To reduce the attack surface, password and GSSAPI authentication can be disabled, since a public private key pair are being used.

  1. In PuTTY, expand Connection > SSH > Auth and select GSSAPI.
  2. Remove the tick from Attempt GSSAPI authentication (SSH-2 only)

 

In the /etc/ssh/sshd_config file on the OpenSSH server, make the following configuration:

GSSAPIAuthentication no
PasswordAutehentication no

 


Log files

For absolute assurance that only a public private key pair are being used for authentication, and that password and GSSAPI authentication have been disabled, view the PuTTY log file.

  1. In PuTTY, select Logging, and select the following:
    • SSH packets and raw data
    • Type the path to the file that will contain the log data
    • Remove the tick from Omit known password fields

 

Connect to the OpenSSH server, and then open the log file. In the log, the first outgoing packet from the client to the server is ....root....ssh-connection....none, and the incoming packet from the server to the client is ....publickey.....

  • publickey means that the server is configured to allow the use of a public key for authentication requests.
  • none means that no public key was provided in the request.

Because no public key was provided, the SSH server failed to authenticate the request. This is normal, and not suggestive of some problem. By default, PuTTY makes the first authentication attempt with no public key. Notice publickey and ssh-rsa in the last attempt.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 75e5b in the box below so that we can be sure you are a human.




Comments