Saturday , November 18 2017
Home / Ethical Hacking / How To Configure SSH Key-Based Authentication on a Linux Server
SSH Key-Based Authentication

How To Configure SSH Key-Based Authentication on a Linux Server

Introduction to SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users. (wikipedia)

SSH known as secure shell is an encrypted protocol that is used to administer and communicate with remote servers aound the globe. There are various ways to access remote server, but for now we will get login access to our server via SSH.

SSH is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. It encrypts identities, passwords, and transmitted data so that they cannot be eavesdropped and stolen.

OpenSSH is an open source implementation of the SSH protocol. It is based on the free version by Tatu Ylonen and further developed by the OpenBSD team and the user community.

SSH key comes with private and public keys which together allows a client to access the server. Any usual password can be easily cracked with brute force attack but SSH keys are nearly impossible to be cracked by brute force because its more secure than any other key. SSH keys are encrypted with passphrase that increase the level of encryption. Without passphrase no body can gain access to the server.

Accessing the remote server with SSH is way more easy. Public keys should be placed on the server in .ssh directory so that client can access the server that already has the private key placed in his .ssh directory.

When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.

The diagram shows a laptop connecting to a server via SSH.

How to generate SSH keys?

 

SSH keys can be easily generated with a utility called ssh-keygen (It can be used with arguments or without). In this scenario ssh-keygen will create SSH-keys, -t is type and rsa is the encryption algorithm, -b shows the bit size.

The keys will be saved in the root directory of .ssh with name as id_rsa (private key) and id_rsa.pub (public key). If the keys already exist, it will overwrite the previous keys.

Choosing an Algorithm and Key Size

There are various kinds of encryption algorithms.

  • rsa Its an old algorithm with a large key size of at least 2048 bits and 4096 bits (better) and is highly recommended for secure connection. All SSH clients use this algorithm.
  • dsa Digital Signature Algorithm is a US old security algorithm – not recommended. A key size of 1024 would normally be used with it.
  • ecdsa A new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 bits. Using it with 521 bits is recommended. Most SSH clients support this algorithm.
  • ed25519 This is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.

Copying the Public Key to the Server

SSH public key can be copied to the server and installed in an authorized_keys file. This can be conveniently done using the ssh-copy-id tool.

ssh-copy-id -i ~/.ssh/id_rsa.pub user@host

Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, as described above SSH tunnel verifies the possession of private key with the client that wants to connect.

Now you can go ahead and log into user@host.

Disable the Password for Root Login (optional)

Once you have copied your SSH keys to your server and ensured that you can log in with the SSH keys alone, you can go ahead and restrict the root login to only be permitted via SSH keys.

In order to do this, open up the SSH config file:

sudo nano /etc/ssh/sshd_config

Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:

PermitRootLogin without-password

Open the new terminal and put the following changes.

reload ssh

Troubleshooting

Following are the reasons why SSH authentication fails:

  • The server might not be configured to accept public key authentication. Make sure /etc/ssh/sshd_config on the server contains PubkeyAuthentication yesRemember to restart the sshd process on the server.
  • If trying to login as root, the server might not be configured to allow root logins. Make sure /etc/sshd_configincludesPermitRootLogin yes PermitRootLogin,prohibit-password If it is set to forced-commands-onlythe key must be manually configured to use a forced command see command= option in ~/.ssh/authorized_keys
  • Make sure the client allows public key authentication. Check that /etc/ssh/config includes PubkeyAuthentication yes
  • Try adding -v option to the ssh command used for the test. Read the output to see what it says about whether the key is tried and what authentication methods the server is willing to accept.
  • OpenSSH only allows a maximum of five keys to be tried authomatically. If you have more keys, you must specify which key to use using the -i option to sshFor more articles please view my blog.

About Kamran Mohsin

Kamran Mohsin
I'm a software engineer by profession, a passionate and experienced web designer, developer and blogger. I use to work with programming languages on daily basis and works to get something new into my knowledge prior to what I had before. I write blogs about information security, WordPress, various ways to make money and more.

Check Also

Exploit with OS Command Injection

OS command injection is an attack in which the goal is execution of arbitrary commands …

Leave a Reply

Your email address will not be published. Required fields are marked *