secure ssh access using public key infrastructure

One of the interesting uses of ssh is to secure access to a (linux) machine. When all access is done through ssh (or ssh tunnels), then all communication is encrypted and cannot be snooped. Of course, this means that login also needs to be secure. As the integrity of login/password is too easily broken, it is better to use public key infrastructure. For the highest level of security this should be done using a smartcard or other device which contains the private key (and does not allow reading the key). However, using a public/private key pair is already quite secure.

The following explanation has been applied and tested on Ubuntu, but should also work on other linux variants.

To use this, you have to install OpenSSH, then assure the following are set in /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication no
RSAAuthentication yes   
PubkeyAuthentication yes

Each user which should be granted access to the system should generate their key pair. This can (also on windows) easily be done using PuTTY. After installation, run the PuTTYgen utility to generate a “SSH-2 RSA” key pair. Save the private key file in a safe place. This will be needed to connect with the server. The public key (as indicated at the top) should be sent to the administrator as this is needed to grant access.

In the user’s home directory, create a “.ssh” directory and in there a “authorized_keys2” file and paste the public key in there. Note that the key should be on one line and there should be an empty line at the end of the file.
You have to assure the rights for these are set correctly, if the user was “test” this can be done using

cd /home/test
chmod -R 0700 .ssh
chown -R test:test .ssh

After you restart ssh
/etc/init.d/ssh restart

Leave a Reply

Your email address will not be published. Required fields are marked *

question razz sad evil exclaim smile redface biggrin surprised eek confused cool lol mad twisted rolleyes wink idea arrow neutral cry mrgreen

*