LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-24-2005, 03:00 AM   #1
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Rep: Reputation: 30
Question Step-by-step instructions setting up RSA Authentication for SSH?


OS: Slackware 10.1
Kernel: 2.6.11.7
Openssh 3.9p1


I read the long thread on " SSH login attempts" up top, but I still don't know how to setup RSA Authentication for SSH. Thread wasn't clear enough for me to understand. One person would say do it this way, another person would say do it that way. Well I'm all confused now I'm looking for one way (preferably easiest) and when I do it that 'one way' it'll work right off the bat.

I tried setting it up a couple of times, but with no success. So I decided to start from scratch and now here I am

Assuming I just downloaded the newest version of OpenSSH. How would one successfully setup RSA Authentication for SSH?

This thread could also help the rest of the people that want to setup RSA Authentication.


--EDIT--

On the Server side, then on the client side.

Last edited by houler; 04-24-2005 at 02:50 PM.
 
Old 04-24-2005, 04:18 AM   #2
Artanicus
Member
 
Registered: Jan 2005
Location: Finland
Distribution: Ubuntu, Debian, Gentoo, Slackware
Posts: 827

Rep: Reputation: 31
in a nutshell, all it takes is:

enable rsa authoentication in sshd_config, disable cleartext passwds

Then create yourself a key to use:
ssh-keygen -t rsa
will guide you thru that. When you have the key generated, cp the id_rsa.pub to your ~/.ssh/authorized_keys
And, take the id_rsa to every machine you need to log in from. Only when providing it upon connect, you will be allowed access. Use it with openssh via the -i switch, and from windows machines, you must convert your openssh key via puttygens importer, then use the converted key with putty.

Thats as simple as I can make it, hope this helps.
 
Old 04-24-2005, 02:49 PM   #3
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
...

Thanks for your reply. I'll try it in a few.

Ok, just to add:

I want to replace password authentication with RSA authentication on my SSHD server.

How would I go about doing that (server side and client side)?


"disable cleartext passwds"

I hope that means changing:


# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication NO?

Last edited by houler; 04-24-2005 at 03:13 PM.
 
Old 04-24-2005, 03:27 PM   #4
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by Artanicus
in a nutshell, all it takes is:

enable rsa authoentication in sshd_config, disable cleartext passwds

Then create yourself a key to use:
ssh-keygen -t rsa
will guide you thru that. When you have the key generated, cp the id_rsa.pub to your ~/.ssh/authorized_keys
And, take the id_rsa to every machine you need to log in from. Only when providing it upon connect, you will be allowed access. Use it with openssh via the -i switch, and from windows machines, you must convert your openssh key via puttygens importer, then use the converted key with putty.

Thats as simple as I can make it, hope this helps.
"cp the id_rsa.pub to your ~/.ssh/authorized_key"

im in /root

i did 'ssh-keygen -t rsa'

then I copied irc_rsa.pub to /root/.ssh/authorized_keys, is authorized_keys a folder? or a file?
 
Old 04-24-2005, 03:27 PM   #5
Artanicus
Member
 
Registered: Jan 2005
Location: Finland
Distribution: Ubuntu, Debian, Gentoo, Slackware
Posts: 827

Rep: Reputation: 31
"PasswordAuthentication no" is indeed the way to go.
"PubkeyAuthentication yes" is the actual way to allow key-based authentication.

Client side, there isnt much to change if youre using OpenSSH:s client. If you have the keyfile in your ~/.ssh/id_rsa then you need not do anything differently than before. If you have it elsewhere or under another name, you need to supply it with the -i parameter.
 
Old 04-24-2005, 03:29 PM   #6
Artanicus
Member
 
Registered: Jan 2005
Location: Finland
Distribution: Ubuntu, Debian, Gentoo, Slackware
Posts: 827

Rep: Reputation: 31
Quote:
Originally posted by houler
"cp the id_rsa.pub to your ~/.ssh/authorized_key"

im in /root

i did 'ssh-keygen -t rsa'

then I copied irc_rsa.pub to /root/.ssh/authorized_keys, is authorized_keys a folder? or a file?
Its a file. The key itself should be on one single line in the file. You can have multiple keys on multiple lines btw.
 
Old 04-24-2005, 03:31 PM   #7
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Yay it work! Thank you for the how-to. Greatly appreciated.
 
Old 04-24-2005, 03:38 PM   #8
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Also, is there a way to automatically login to the SSHD server without using the '-i' switch and entering the passphrase everytime?

like what if the passphrase was pretty long?

Last edited by houler; 04-24-2005 at 03:39 PM.
 
Old 04-24-2005, 03:43 PM   #9
Artanicus
Member
 
Registered: Jan 2005
Location: Finland
Distribution: Ubuntu, Debian, Gentoo, Slackware
Posts: 827

Rep: Reputation: 31
well, you could allways alias the command to shorten it..

The passphrase can be empty, but its not advisable. Ive had some empty keyd limited keys for automated filetransfer, so sometimes its useful..

Do note, you cant change the passphrase. Youll have to generate a new key if you want to change any of the details.
 
Old 04-24-2005, 03:47 PM   #10
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by Artanicus
well, you could allways alias the command to shorten it..

The passphrase can be empty, but its not advisable. Ive had some empty keyd limited keys for automated filetransfer, so sometimes its useful..

Do note, you cant change the passphrase. Youll have to generate a new key if you want to change any of the details.
Alias the command, that sounds nice. Can you share an example?

like what if the passphrase was 'houler'.

nevermind.

Last edited by houler; 04-25-2005 at 01:23 AM.
 
Old 04-24-2005, 05:45 PM   #11
maxque
LQ Newbie
 
Registered: Apr 2005
Location: Vancouver
Distribution: Debian
Posts: 28

Rep: Reputation: 15
This thread explains how to use ssh-keygen to created a key for yourself. But does not your machine itself have a key which can be copied to other machines on your network so that at the linux server/clients can all recognize each other as trusted computers?

The ssh man file reads about /etc/ssh/ssh_known_hosts

Quote:
Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization.
How does the system administrator create the keys for each computer?

maxque
 
Old 04-25-2005, 01:22 AM   #12
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by maxque
This thread explains how to use ssh-keygen to created a key for yourself. But does not your machine itself have a key which can be copied to other machines on your network so that at the linux server/clients can all recognize each other as trusted computers?

The ssh man file reads about /etc/ssh/ssh_known_hosts



How does the system administrator create the keys for each computer?

maxque
Once you generate the priv. key. you can send it to other computers so other computers can connect to the sshd server using that (the one that was generated on the sshd server) key/passphrase.

You can also generate keys for different users. (if i'm user houler, I can generate my own key, so I can login to my own account with that key instead of using the login/password scheme)

Last edited by houler; 04-25-2005 at 01:24 AM.
 
Old 04-25-2005, 01:23 AM   #13
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
I did a google search and I found out that you can use ssh-agent to manage the passphrases. But the things is that once the shell that the ssh-agent is on has quit, the passphrases will be forgotten until the next ssh-agent session?

Also,

I found a more convenient way which used keychain with ssh-agent but...

My source: http://www.cs.utah.edu/support/faq/faq-ssh.html


How do i circumvent this to make it a bit more permanent?

So that when i restart the computer, I still don't have to type in my passphrase?

Last edited by houler; 04-25-2005 at 01:25 AM.
 
Old 04-25-2005, 02:49 AM   #14
Artanicus
Member
 
Registered: Jan 2005
Location: Finland
Distribution: Ubuntu, Debian, Gentoo, Slackware
Posts: 827

Rep: Reputation: 31
if you want easier access, create a passphraseless key instead. Just hit enter when it asks for a pass.
 
Old 04-25-2005, 01:26 PM   #15
maxque
LQ Newbie
 
Registered: Apr 2005
Location: Vancouver
Distribution: Debian
Posts: 28

Rep: Reputation: 15
Quote:
Originally posted by maxque
[B
How does the system administrator create the keys for each computer?

maxque [/B]
Just after I posted this I found this very old page. The path names are for another operating system however the information is what i was looking for NCSA OpenSSH Installation Guide .

New version 1 keys:


Code:
#ssh-keygen  -t rsa1 -f /etc/ssh/ssh_host_key -N ""
  # chmod 600 /etc/ssh/ssh_host_key
  # chmod 644 /etc/ssh/ssh_host_key.pub
version 2 keys;

Code:
  # ssh-keygen  -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
  #ssh-keygen  -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
  # chmod 600 /etc/ssh/ssh_host_dsa_key
  # chmod 600 /etc/ssh/ssh_host_rsa_key
  # chmod 644 /etc/ssh/ssh_host_dsa_key.pub
  # chmod 644 /etc/ssh/ssh_host_rsa_key.pub
Those are machine specific keys not user specific. Like the man file says you generate a set of these for each machine on your network and the ssh_host_key becomes a known_hosts entry for each computer on the network.

Watch the path names, they are different for Linux than on the NSCA site.

maxque
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Step-By-Step Instruction to install Linksys WPC11 Ver.4 Wireless Card Zypher Linux - Hardware 8 08-12-2009 11:43 AM
Step by step guide to setting up the internet using Ubuntu. chazyd Linux - Networking 2 04-24-2005 02:48 PM
need a step by step on sftp via SSH please Lleb_KCir Linux - General 1 11-12-2004 03:13 AM
i need step by step instructions to install wine and then Kazaa ralphus Linux - Newbie 3 11-14-2003 01:32 PM
Step-by-step Apache upgrade Instructions?? where to get Mike_Toth Linux - General 5 05-08-2003 03:22 PM


All times are GMT -5. The time now is 11:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration