Secure SSH server with Public/Private key authentication

From Debian Wiki

Requirements

A Debian Etch base installation - Installation HOWTO here.
Root access to your server.

Pre-Installation

Before proceeding to install, update the necessary packages in Debian with these commands.

apt-get update
apt-get upgrade

Install SSH

Install the SSH server and SSH client with the following command.

apt-get install ssh

Generating a SSH key public/private key pair

Before we can even authenticate to the remote machine using key based authentication, we need to create a public/private key pair. To do so, simply execute the following command on your local machine:

ssh-keygen

This will generate the following and you can hit enter when it asks you where to save the file unless you want to change the path.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):

Now enter a secure password (DO NOT leave the passphrase empty, anybody getting you private key (/home/user/.ssh/id_rsa) will be able to connect to your remote host).

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

And once you've done this you'll get the following output:

Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX user@host

Your key pair has now been generated. To check that all has been installed correctly run this command:

ls -l ~/.ssh/

and you should see the following two files:

id_rsa
id_rsa.pub

Now that we have our public/private key pair ready, we need to upload it to the remote machine and enable access with it.

Adding the public key to the authorised key

From your local machine execute the following scp command to copy your public key to your SSH server.

scp ~/.ssh/id_rsa.pub remoteuser@remotehost:~/

Now that it has been uploaded you need to add the id_rsa.pub key to your authorised keys.

ssh remoteuser@remotehost
remoteuser@remotehost's password:
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub
exit

Now, we need to configure the remote SSH server to accept authentication by key pair. This is usually enabled by default. If not, the next section will cover how to activate key based authentication.

Activating key based authentication on the server

You will now need to connect as root on the remote machine.

ssh root@remotehost

Now open and edit /etc/ssh/sshd_config

vim /etc/ssh/sshd_config

and make sure you have the following lines:

RSAAuthentication yes
PubkeyAuthentication yes

Save the file and reload the server:

/etc/init.d/ssh reload

now you should be able to connect to remoteuser@remotehost without supplying a password (but the passphrase of you private key if you supplied any) by simply typing the following:

ssh remoteuser@remotehost

If your private key file is not the standard ~/.ssh/id_rsa, you can use the -i switch to inform ssh of the location using the following command:

ssh -i /path/to/private/key remoteuser@remotehost

Once you are sure that you can log into the remote host using your private key, we can safely disable the username/password authentication.

Disabling Authentication by password

In order to disable authentication by password you will need to connect as root on the remote machine. Once connected, go and edit /etc/ssh/sshd_config:

ssh remoteuser@remotehost
vim /etc/ssh/sshd_config

Make sure you have the following settings:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Now reload the SSH server:

/etc/init.d/ssh reload
exit

Now, open a new shell and connect the remote host using your private key:

ssh remoteuser@remotehost

And also make sure that you can't connect without a key anymore:

cd ~/.ssh
mv id_rsa id_rsa.bck
ssh remoteuser@remotehost
Permission denied (publickey).
mv id_rsa.bck id_rsa

If you get rejected with Permission denied (publickey). it means that all is good and your ssh server is protected against brute-force attacks. |

Navigation