Step-by-step instructions setting up RSA Authentication for SSH?

houler · 04-24-2005, 02:00 AM

OS: Slackware 10.1
Kernel: 2.6.11.7
Openssh 3.9p1

I read the long thread on " SSH login attempts" up top, but I still don't know how to setup RSA Authentication for SSH. Thread wasn't clear enough for me to understand. One person would say do it this way, another person would say do it that way. Well I'm all confused now

I'm looking for one way (preferably easiest) and when I do it that 'one way' it'll work right off the bat.

I tried setting it up a couple of times, but with no success. So I decided to start from scratch and now here I am

Assuming I just downloaded the newest version of OpenSSH. How would one successfully setup RSA Authentication for SSH?

This thread could also help the rest of the people that want to setup RSA Authentication.

--EDIT--

On the Server side, then on the client side.

Artanicus · 04-24-2005, 03:18 AM

in a nutshell, all it takes is:

enable rsa authoentication in sshd_config, disable cleartext passwds

Then create yourself a key to use:
ssh-keygen -t rsa
will guide you thru that. When you have the key generated, cp the id_rsa.pub to your ~/.ssh/authorized_keys
And, take the id_rsa to every machine you need to log in from. Only when providing it upon connect, you will be allowed access. Use it with openssh via the -i switch, and from windows machines, you must convert your openssh key via puttygens importer, then use the converted key with putty.

Thats as simple as I can make it, hope this helps.

houler · 04-24-2005, 01:49 PM

...

Thanks for your reply. I'll try it in a few.

Ok, just to add:

I want to replace password authentication with RSA authentication on my SSHD server.

How would I go about doing that (server side and client side)?

"disable cleartext passwds"

I hope that means changing:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication NO?

houler · 04-24-2005, 02:27 PM

Quote:

Originally posted by Artanicus
in a nutshell, all it takes is:

enable rsa authoentication in sshd_config, disable cleartext passwds

Then create yourself a key to use:
ssh-keygen -t rsa
will guide you thru that. When you have the key generated, cp the id_rsa.pub to your ~/.ssh/authorized_keys
And, take the id_rsa to every machine you need to log in from. Only when providing it upon connect, you will be allowed access. Use it with openssh via the -i switch, and from windows machines, you must convert your openssh key via puttygens importer, then use the converted key with putty.

Thats as simple as I can make it, hope this helps.

"cp the id_rsa.pub to your ~/.ssh/authorized_key"

im in /root

i did 'ssh-keygen -t rsa'

then I copied irc_rsa.pub to /root/.ssh/authorized_keys, is authorized_keys a folder? or a file?

Artanicus · 04-24-2005, 02:27 PM

"PasswordAuthentication no" is indeed the way to go.
"PubkeyAuthentication yes" is the actual way to allow key-based authentication.

Client side, there isnt much to change if youre using OpenSSH:s client. If you have the keyfile in your ~/.ssh/id_rsa then you need not do anything differently than before. If you have it elsewhere or under another name, you need to supply it with the -i parameter.

Artanicus · 04-24-2005, 02:29 PM

Quote:

Originally posted by houler
"cp the id_rsa.pub to your ~/.ssh/authorized_key"

im in /root

i did 'ssh-keygen -t rsa'

then I copied irc_rsa.pub to /root/.ssh/authorized_keys, is authorized_keys a folder? or a file?

Its a file. The key itself should be on one single line in the file. You can have multiple keys on multiple lines btw.

houler · 04-24-2005, 02:31 PM

Yay it work! Thank you for the how-to. Greatly appreciated.

houler · 04-24-2005, 02:38 PM

Also, is there a way to automatically login to the SSHD server without using the '-i' switch and entering the passphrase everytime?

like what if the passphrase was pretty long?

Artanicus · 04-24-2005, 02:43 PM

well, you could allways alias the command to shorten it..

The passphrase can be empty, but its not advisable. Ive had some empty keyd limited keys for automated filetransfer, so sometimes its useful..

Do note, you cant change the passphrase. Youll have to generate a new key if you want to change any of the details.

houler · 04-24-2005, 02:47 PM

Quote:

Originally posted by Artanicus
well, you could allways alias the command to shorten it..

The passphrase can be empty, but its not advisable. Ive had some empty keyd limited keys for automated filetransfer, so sometimes its useful..

Do note, you cant change the passphrase. Youll have to generate a new key if you want to change any of the details.

Alias the command, that sounds nice. Can you share an example?

like what if the passphrase was 'houler'.

nevermind.

maxque · 04-24-2005, 04:45 PM

This thread explains how to use ssh-keygen to created a key for yourself. But does not your machine itself have a key which can be copied to other machines on your network so that at the linux server/clients can all recognize each other as trusted computers?

The ssh man file reads about /etc/ssh/ssh_known_hosts

Quote:

Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization.

How does the system administrator create the keys for each computer?

maxque

houler · 04-25-2005, 12:22 AM

Quote:

Originally posted by maxque
This thread explains how to use ssh-keygen to created a key for yourself. But does not your machine itself have a key which can be copied to other machines on your network so that at the linux server/clients can all recognize each other as trusted computers?

The ssh man file reads about /etc/ssh/ssh_known_hosts

How does the system administrator create the keys for each computer?

maxque

Once you generate the priv. key. you can send it to other computers so other computers can connect to the sshd server using that (the one that was generated on the sshd server) key/passphrase.

You can also generate keys for different users. (if i'm user houler, I can generate my own key, so I can login to my own account with that key instead of using the login/password scheme)

houler · 04-25-2005, 12:23 AM

I did a google search and I found out that you can use ssh-agent to manage the passphrases. But the things is that once the shell that the ssh-agent is on has quit, the passphrases will be forgotten until the next ssh-agent session?

Also,

I found a more convenient way which used keychain with ssh-agent but...

My source: http://www.cs.utah.edu/support/faq/faq-ssh.html

How do i circumvent this to make it a bit more permanent?

So that when i restart the computer, I still don't have to type in my passphrase?

Artanicus · 04-25-2005, 01:49 AM

if you want easier access, create a passphraseless key instead. Just hit enter when it asks for a pass.

maxque · 04-25-2005, 12:26 PM

Quote:

Originally posted by maxque
[B
How does the system administrator create the keys for each computer?

maxque [/B]

Just after I posted this I found this very old page. The path names are for another operating system however the information is what i was looking for NCSA OpenSSH Installation Guide .

New version 1 keys:

Code:

#ssh-keygen  -t rsa1 -f /etc/ssh/ssh_host_key -N ""
  # chmod 600 /etc/ssh/ssh_host_key
  # chmod 644 /etc/ssh/ssh_host_key.pub

version 2 keys;

Code:

  # ssh-keygen  -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
  #ssh-keygen  -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
  # chmod 600 /etc/ssh/ssh_host_dsa_key
  # chmod 600 /etc/ssh/ssh_host_rsa_key
  # chmod 644 /etc/ssh/ssh_host_dsa_key.pub
  # chmod 644 /etc/ssh/ssh_host_rsa_key.pub

Those are machine specific keys not user specific. Like the man file says you generate a set of these for each machine on your network and the ssh_host_key becomes a known_hosts entry for each computer on the network.

Watch the path names, they are different for Linux than on the NSCA site.

maxque