LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-01-2011, 05:15 PM   #1
veeruk101
Member
 
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Rep: Reputation: 16
Requiring public key in order to SSH into a machine


I'd like to make it necessary to have a public key in order to SSH into a machine. Meaning if you try to brute force the password, even if you guess the password correctly you won't be able to use it because you don't have the public key of the SSH server. My first question is whether this is the recommended best practice, or should I continue to allow the choice of a public key or the password? (The only problem I see with key-only authentication is that if I somehow lose my client's private key I can no longer log into my server...)

Currently my setup allows for passwordless SSH authentication if you have a public key, but it also allows for a username and password without the public key and that works too (which isn't what I want). Which of the following do I need to set in order to enable the public key-only functionality? Different tutorials list different combinations of the settings below - if someone could tell me the bare minimum I need to change in order for it to work, that would be great.

Quote:
RSAAuthentication
PubkeyAuthentication
ChallengeResponseAuthentication
PasswordAuthentication
UsePAM
Now let's say I've set up a public key-only login. If I want to create a new set of keys on my SSH server (let's say after reformatting my client - a laptop), I'm guessing I can't use ssh-copy-id to copy the newly created public key to the server? I'd be locked out of my server, so what would be the best way to set things up again and allow my laptop to SSH into my server again?

Last edited by veeruk101; 11-01-2011 at 05:23 PM.
 
Old 11-02-2011, 08:38 AM   #2
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Jessie (Fluxbox WM)
Posts: 1,387
Blog Entries: 52

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
It is a good thing to restrict the number of ways to access a machine. Whether a password or a keyfile is better depends on how you manage them. If you use a PKI key, then it is good practice to password protect the PKI file.

To disable the password access, it is sufficient to set PasswordAuthentication to 'no' in the server configuration (the other parameters have reasonable defaults). You will need to restart the server.

If you have to set up a new PKI key, you need to add the public part to the server before you remove the old local key (use the '-i' flag to use the new key file). Once it has been added, you can change the local key to the new one, and restart the ssh session (and remove the old key from the servers authorized keys if it is no longer required).

If you lose the PKI key, then yes, you will be unable to access the server.

Last edited by neonsignal; 11-02-2011 at 08:52 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 12:15 PM
NoMachine NX while still requiring key auth for SSH, possible? Chip Sprague Linux - Security 1 08-29-2011 03:48 PM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
Putty/SSH login failed when using RSA public key: 'Server refused our key' itsecx@gmail.com Linux - Server 10 10-04-2010 02:19 PM
ssh to remote machine with public-key method 2007fld Linux - Security 2 08-13-2007 04:13 PM


All times are GMT -5. The time now is 04:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration