-   Linux - Networking (
-   -   SSH RSA Auth (

lil_drummaboy 11-27-2005 12:14 PM


I don't really understand the concept of ssh key authentication but i have written a custom useradd script that will create the user, make a public/private key for them, add it to authorized_keys for that user, and e-mail them the private key. My question is, how can I make my ssh server only accept keys and not allow "username/password" style logins. Currently, i am making passphrases for my keys, my other question is, if i have a RSA key and a passphrase, would allowing root login then be secure seeing they would have to guess a 1024 bit key and passphrase? So for now, my aim is to have a "RSA key only" authentication on my server. Is this possible, and can anyone point me in the right direction to set it up? So far, the howtos i've read don't make much sense about this specificaly.

Thanks in advance

GaijinPunch 11-27-2005 04:42 PM

In the ssh_config file (most likely /etc/ssh/ssh_config) try setting the following:

RSAAuthentication yes
PasswordAuthentication no

then restart the sshd process. That should do it. Basically, RSA Key authentication is just that... the server will only allow logins from machines with proper keys. It's just an addedd security measure, which gets a little annoying, if you ask me, but I live on a relatively small network, so the moron factor is cut to a minimum.

As for your second question, it really depends on how many people know the root password I guess. I'm curious if you could even allow root automatic logins by putting the rsa key in "authorized_keys". Sounds like a reall crappy design if you could, but I've never tried. That's the only thing I would be worried about to be honest.

lil_drummaboy 11-27-2005 06:42 PM

I don't have a large network either, it's just that this sshd is on a live webserver with a few domains, and I am the only one who know root or really needs to ssh in remotely so i figured tight security would be worth the time. Thanks for the reply! I tried what you said earlier and it didn't work, but I just realized that Debian 3.1's sshd uses PAM so i guess that will need to be disabled aswell. Also, you can have an authorized key for root, it is more insecure then "su-ing" once you get in, but my keys do have secure passphrases needed to use it aswell so, it's a thing i'll think about. Again, thanks

All times are GMT -5. The time now is 07:51 AM.