Solving IT problems and building solutions

  • Wednesday, November 7, 2012

    How To Create and Install SSH Keys on the Shell


    SH keys offer a highly secure manner of logging into a server with SSH as against mere dependence on a password. While a password stands the risk of being finally cracked, SSH keys are rather impossible to decipher using brute force. As a matter of fact, generating a key pair offers users two lengthy strings of characters corresponding to a public as well as a private key. Users can, thus, place the public key on any server, and subsequently unlock the same by connecting to it with a client that already possesses the private key. Upon matching up of the two keys, the system unlocks without any irksome dependence on a password. The security may be further smartly firewalled by guarding the private key with a passphrase.

    1.2 Installation of SSH Keys on Linux-A Step-By Step Guide

    Outlined below is a step-by-step guide detailing the process of installing SSH Keys on a Linux server:

    Step One-Creation of the RSA Key Pair

    The first step in the installation process is to create the key pair on the client machine, which would, more often than not, be your own system. Users need to use the following command:
    ssh-keygen -t rsa
    The above command kicks off the SSH Key installation process for users.

    Step Two-Storing the Keys and Passphrasing

    Upon entering the primary Gen Key command, users need to go through the following drill by answering the following prompts:
    Enter the file where you wish to save the key (/home/demo/.ssh/id_rsa)
    Users need to press ENTER in order to save the file to the user home
    The next prompt would read as follows:
    Enter passphrase
    If, as an administrator, you wish to assign the passphrase, you may do so when prompted (as per the question above), though this is optional, and you may leave the field vacant in case you do not wish to assign a passphrase.
    However, it is pertinent to note there that keying in a unique passphrase does offer a bevy of benefits listed below:
    1. The security of a key, even when highly encrypted, depends largely on its invisibility to any other party. I 2. In the likely instance of a passphrase-secure private key falling into the custody of an unauthorized user, they will be rendered unable to log in to its allied accounts until they can crack the passphrase. This invariably gives the victim (the hacked user) precious extra time to avert the hacking bid On the downside, assigning a passphrase to the key requires you to key it in every time you make use of the Key Pair, which makes the process a tad tedious, nonetheless absolutely failsafe.
    Here is a broad outline of the end-to-end key generation process:
    root@server1:~# ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    38:16:50:fe:8d:da:02:bb:46:1b:66:0c:10:8e:81:2d root@server1.example.com
    The key's randomart image is:
    +--[ RSA 2048]----+
    |+o ... |
    |E.. o |
    |.+ o |
    | . + o |
    | o. + S . |
    | *+ + |
    | +.oo . |
    | o. . |
    | .. |
    +-----------------+
    The public key can now be traced to the link ~/.ssh/id_rsa.pub
    The private key (identification) can now be traced to the link-/home/demo/.ssh/id_rsa 3

    Step Three-Copying the Public Key

    Once the distinct key pair has been generated, the next step remains to place the public key on the virtual server that we intend to use. Users would be able to copy the public key into the authorized_keys file of the new machine using the ssh-copy-id command. Given below is the prescribed format (strictly an example) for keying in the username and IP address, and must be replaced with actual system values:
    As an alternative, users may paste the keys by using SSH (as per the given command):
    cat ~/.ssh/id_rsa.pub | ssh user@192.168.0.100 "cat >> ~/.ssh/authorized_keys"
    Either of the above commands, when used, shall toss the following message on your system:
    The authenticity of host '192.168.0.100 ' can't be established. RSA key fingerprint is b1:2d:32:67:ce:35:4d:5f:13:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.100' (RSA) to the list of known hosts. user@192.168.0.100's password: Now try logging into the machine, with "ssh 'user@192.168.0.100'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
    After the above drill, users are ready to go ahead and log into user@192.168.0.100 without being prompted for a password. However, if you have earlier assigned a passphrase to the key (as per Step 2 above), you will be prompted to enter the passphrase at this point (and each time for subsequent log-ins.).

    Step Four (This Step is Optional)-Disabling the Password to Facilitate Root Login

    After users have copied their SSH keys unto your server and ensured seamless log-in with the SSH keys only, they have the option to restrict the root login, and permit the same only through SSH keys. To accomplish this, users need to access the SSH configuration file using the following command:
    sudo nano /etc/ssh/sshd_config
    Once the file is accessed, users need to find the line within the file that includes PermitRootLogin , and modify the same to ensure a foolproof connection using the SSH key. The following command shall help you do that:
    PermitRootLogin without-password
    The last step in the process remains to implement the changes by using the following command:
    reload ssh
    The above completes the process of installing SSH keys on the Linux server.

    Conclusion

    The above steps shall help you install SSH keys on any virtual private server in a completely safe, secure and hassle-free manner.

    No comments:

    Post a Comment