Sunday, October 6, 2013

SSH PKA the easy way

this tutorial involves 2 computers, a client and a server.  As you should know, a client will connect to the server.  You can always add an ssh server to your client machine, but we aren't going to worry about that today.

on the client machine:
# cd /home/username
The username needs to be the username you are going to use to connect, and that username must exist on the server machine as well.  You can do it other ways, but that is a complication we won't get into today.
# mkdir .ssh
# chmod 700 .ssh/
# cd .ssh
# ssh-keygen -t rsa -b 2048

(some ssh servers like hardware appliances require dsa, so use ssh-keygen -t dsa in those cases)
Accept the default values and it should put the keys in the folder you just created.
# chmod 640
# chmod 600 id_rsa

# nano /etc/ssh/ssh_config
Add the following line (or uncomment the line if it already exists)
IdentityFile ~/.ssh/id_rsa
Then use CTRL-O to save and CTRL-X to exit

One the server machine:
Install the SSH server software.
For Ubuntu, use
# apt-get install openssh-server.  
For RHEl/centOS, use
# yum install openssh-server. 

Now make the folder and key on this machine as well.
# cd /home/username
# mkdir .ssh

# chmod 700 .ssh/
# cd .ssh/
# touch authorized_keys
# chmod 740 authorized_keys

Now you need to get the pub file from the client machine over to the server.  I will include a command to use SCP to transfer it using SSH.  But in general, you should always think of ways to transfer keys using out of band methods, like maybe email or USB, etc.
# scp username@client.ip.address:/home/username/.ssh/ /home/username/.ssh/
Replace username with your username and client.ip.address with the IP address of the client machine, or you can use the DNS name as long as your DNS is working.

Now that the pub key is transferred, let's lock it down and enable.
# chmod 640
# cat >> authorized_keys
# nano /etc/ssh/sshd_config

Adjust the port and other settings after you get the ssh server working.  for now, let's just get the keys working.  Look for the below settings and uncomment them and change the values as needed.   The settings below are how they should be.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys
Now use CTRL-O to save and CTRL-X to exit

Restart the server, for RHEL use:
# service sshd restart
For Ubuntu, use:
# /etc/init.d/sshd restart

Now go back to your client machine and test
# ssh ServerMachineIP
Replace ServerMachineIP with the IP of the server machine.  If you are using the same username on both machines, then you don't need to specify a username.  It assumes you are using the same username as the client machine.

If it works, you should be taken directly to a new shell with the

username@client:~$ ssh serverName
Last login: Sat Oct  5 15:45:53 2013 from
[username@serverName ~]$ 

If something goes wrong, use the logs to find out what the client and server are complaining about.

from the client machine, use:
# ssh -vvv ServerMachineIP 

From the server machine, run a tail on the logs:
# tail -f /var/log/secure
In most cases, secure is the log you need.  but if not, just google it.

If you want to connect to a different user account, all you need to do is:
- on the server machine: do the above server machine steps but instead of going to the /home/username folder, go to the user folder that belongs to user you wish to login as.  eg.  /home/Robert
- on the client machine:  just specify the username when you connect
# ssh Robert@serverMachineIP

You CAN place them in the /root/.ssh folder and connect to the server as root.  But you will need to make sure the sshd_config file is set to allow login as root.  In general, it's best to use normal accounts to login via SSH, then use the su - command (switch user) to switch to the root account.
PermitRootLogin yes

No comments:

Post a Comment