13 August 2012

ssh public key authentication

So, you dont want to type any password every time making ssh to your server but still providing fully securities factors. This post will show you how to do that with Private | Public key authentication.

Requirement :

Understanding off Public | Private key infrastructrure.

Terminology :

  • Public key  : it looks like the lock, it will stay on the server that you want to ssh to.
  • Private key : it looks like the key, it stays on your pc and you have to make it as secret as possible. No one will see this key except just you.
  • Both keys use a pair of mathematically related cryptographic keys. If one key is used to encrypt information, then only the related key can decrypt that information. 


Primary steps :

  1. Create the keypair on the client.
  2. Copy the Public Key to the Server.
  3. Done.

Steps in detail :

OK, by default sshd service on the server accepts publickey authentication :

client# ssh -v 10.254.10.30

OpenSSH_5.8p2, OpenSSL 1.0.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.254.10.30 [10.254.10.30] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@10.254.10.30's password:

You need to type password to log on.

It's time to make it run without password.

1. Create the keypair on the client.

Client# cd ~
Client# ssh-keygen 

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6d:0f:a5:e9:7e:87:2c:4c:22:27:cb:40:38:0d:48:ad

The fingerprint maybe different on yours.

After that, we got 2 files :
  • Public Key  : id_rsa.pub
  • Private Key : id_rsa
Let's see what are they :

The Public Key

Client# cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9hvcPzPiN4czUt1BCXc1nZIzrdtB
...
dRTJJevosba4VYfXsx1NFbm7YJdbGShsQpZM3t7D4D7iuWyd8nGKgojJ5aqHCwiSnFCez

The Private Key

Client# cat .ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9h
vcPzPiN4czUt1BCXc1nZIzrdtBlRsPjV1HiHNB5LTQF7HKrAIwHN9LlHwfDt0VPW
...
NsuABoq+2FZYVM9wjaJvWa9gCqRj6iyOKUj7nIsUW57v53bVug==
-----END RSA PRIVATE KEY-----

2. Copy the Public Key to the Server.

Client# ssh-copy-id -i .ssh/id_rsa.pub root@10.254.10.30

The authenticity of host 'ServerTest(10.254.10.30)' can't be established.
RSA key fingerprint is 79:04:3d:72:08:91:e5:05:0a:06:97:b2:04:2d:7e:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ServerTest,10.254.10.30' (RSA) to the list of known hosts.
root@10.254.10.30's password:
Now try logging into the machine, with "ssh 'root@10.254.10.30'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

You need to type the password to copy the id_rsa.pub to the server.

Let's check if that file has been placed on the server.

Server# cd ~
Server# ls -al .ssh/

total 20
drwx------ 3 root root 4096 Jun 18 22:17 .
drwxr-x--- 5 root root 4096 Jun 18 22:15 ..
-rw------- 1 root root 394 Jun 18 22:17 authorized_keys

Notice to see the permission of that file.

Let's see what it is.

Server# cat .ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9hvcPzPiN4czUt1BCXc1nZIzrdtB...
dRTJJevosba4VYfXsx1NFbm7YJdbGShsQpZM3t7D4D7iuWyd8nGKgojJ5aqHCwiSnFCez

Notice that it is identical to the file id_rsa.pub on the client.

3. Done.

Back to the client to see what happen when making ssh again:

Client# ssh -v 10.254.10.30

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [10.254.10.30] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
...
debug1: Authentication succeeded (publickey).

No more typing password and it works like a charm.

Known issues :

+ If it still doesn't work, make sure you have disabled the SELINUX feature.

Server# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted