SSH Key Authentication

Categories

SSH Key Authentication

You are here:

Introduction

The SSH server provides many different ways for clients to authenticate. The most common way is password authentication, however this can leave you open to password brute force attacks.

Any easy way to secure your ssh server is to change to using Key-Based Authentication instead of password authentication. This requires the client to authenticate with it’s private key which has to match a public key installed on the server (key pair) to get access.

This article will explain how to create, install and authenticate with a key-pair.

First steps

The first step is to make sure you can ssh to the server from your client. We are assuming that you can connect using password authentication.

Check that key authentication is enabled in sshd_config

On the server, log in as root and change to your ssh server configuration directory:

cd /etc/ssh

In there is the configuration file sshd_config. You will want to check for that key authentication is enabled:

PubkeyAuthentication yes

If you had to make a configuration change to sshd_config then restart the ssh service

 

Create ssh keypair

You will need to create a key pair for the client and then install your public key on the server. If you did not have access to this server to do it you would send your public key to the server administrator to install.

For this scenario, we assume you are the server administrator and have a current method to access the server (such as password based ssh authentication).

First decide on the encryption strength of your key which is determined by algorithm and key size.

An explanation from ssh.com:

  • rsa – an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
  • dsa – an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
  • ecdsa – a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
  • ed25519 – this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.

 

For your client user, run the following in a shell to create a keypair:

ssh-keygen -t [Algorithm] -b [key size]

Let’s create an ecsda key 512 bits in size:

ssh-keygen -t ecdsa -b 521

Follow the prompts.

With or without passphrase?

If you decide to not encrypt it with a passphrase then if someone got a copy of your private key they can use it to gain access to the server. Always encrypt your keys on vulnerable devices such as laptops.

 

Copy ssh public key

If you have password access to the server, you can use ssh-copy-id from the client, for example:

ssh-copy-id -i ~/.ssh/mypublickey user@server

Make sure it’s the public key you are providing. You should never share your private key.

Sending / setting up manually when client don’t have password access

You would need to work with someone who has authorised access to the server such as the administrator. Then you would share your public key via methods such as email / file sharing / download etc.

 

Connecting with key

When default key location

If you are using a key with a default filename then it is simply

ssh user@server

When using a different key (ssh -i file) 

When the key does not have a default name or is in another folder location you will use -i to point to your key. Note that this is your private key

ssh -i /home/user/mysshkey user@server

Verbose output for troubleshooting

Use to verbose option to help troubleshoot any issues

ssh -v -i /home/user/mysshkey user@server

 

Disable Password Authentication

This is optional. Once you are set up with key authentication, you may want to disable all password authentication for security.

To do this, edit your  sshd_config:

PasswordAuthentication no

 

Tags:
Previous OpenSSH Server Hardening
Next Testing your hard drives with SMART – Linux
Table of Contents