For those that are familiar with *nix environment such as Solaris, GNU/Linux, HP-UX or AIX, Secure Shell (SSH) is the protocol used to get a remote shell.
So far is not different from Telnet, right? nevertheless is quite different. Why??? because ssh encrypts the whole session and ensures that no one [in theory] could eavesdrop the connection.
With that said, let's move just one step forward. Just imagine that you are able to login to the system without enter your password, and increasing security through an asymmetric encryption key as well.
What is an asymmetric key? is an encryption method that use two keys, one private that is the one that you have to secure and the other one is public, so you can go ahead and share it without compromise your identity.
I will touch base on encryption topics later on, but this is all that you need to move forward to get your SSH server configured to accept login to asymmetric keys.
Before move to the configuration section i wanna to highlight that this configuration works almost for every *nix platform, nevertheless i would recommend read your OS or distribution help and once ready, back up your configuration file just in case.
Also along the text, please note that the $ symbol represent the system shells and is not something that you have to type into your system.
1) SSH Key Generation.
The first step would be create the SSH Keys. If you already got ones, you can use those, however i would like to ensure that everyone knows how to create a new set of SSH keys. To accomplish that task you have to run the command in your local machine.
$ ssh-keygen -t dsa -f ~/.ssh/id_dsa
Once entered this command you should be asked for a passphrase for the private key. You can type any phrase you want. Please remember that although the command allow you to skip the entering a passphrase, it's strongly recommended that you do so, so please do not forget to entry your phrase.
Once completed the previous step, the keys generated will be id_dsa (private key) and id_dsa.pub (public key) both will be store on your home directory under ~/.ssh/ directory.
2) Copy your Public key to the server
In order to move forward and as i've stated before, you can share your public key with everyone and to establish the SSH connection we need to copy this file to the server. To do that please run the following command from your local machine.
$ scp ~/.ssh/id_dsa.pub user@server.com:~/.ssh/authorized_keys
If you get and error that the .ssh directory does not exist, please login to the server and create the directory or establish an ssh connection to other system, this will create that folder automatically in your behalf.
An importan step that you must not forget is to change .ssh directory permission on the server and local machine. To accomplish that task you have to run the following command in both systems.
$ chmod 0600 ~/.ssh/*
This will set rw permission just to the owner of that directory.
3) Create an authorized group
So, let say that you want to create one [or several] groups that will have access to the system through ssh keys. To do that you have to run the following command
$ groupadd staff
Now you can use the usermod commando to add those users that you want to be part of that group.
$ usermod -a -G staff user
4) Finally SSH server configuration file
So we are in the most important step. As i've mentioned before, please back up your sshd_config file, you can use the cp command and copy an instance of that file into your home directory if any problem comes up.
Although the sshd_config file contents a lot of possible configuration items, i will just highlight those that you have to ensure that are set as i will state below. To do that, and after copy your sshd_config file to a safety place, edit the /etc/ssh/sshd_config file with an text editor (i.e. VI, VIM, gedit, etc), and ensure that the following configuration items are properly set
Port 22
Protocol 2
AddressFamily inet
HostKey /etc/ssh/ssh_host_dsa_key
PermitRootLogin no
MaxAuthTries 1
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication no
PasswordAuthentication no
UsePAM no
KerberosAuthentication no
GSSAPIAuthentication no
AllowGroups staff
I will just highlight the most important items:
HostKey /etc/ssh/ssh_host_dsa_key
| Uncomment or add this line so the server present its DSA key’s fingerprint when a client tries to authenticate.|
PermitRootLogin no
| Disable Root login, uncomment this line and set the option as "no" . With that you will avoid remote root login.\
PubkeyAuthentication yes
| With this option we will enable the authentication through ssh keys.|
PasswordAuthentication no
| It's important to set this option to "no" in order to avoid password authentication, otherwise you will allow to login through keys and passwords as well.|
AllowGroups staff
| Finally with this option we will set that this group is the only one that can connect to the server, any other user not listed within this group won't be allowed to remote connect to the systems through SSH.|
5) Restart SSH service.
Now to test your new configuration you have to restart the ssh service, to accomplish that task you have to follow the proper method used by your OS.
In some Linux systems you have to go directly to the /etc/init.d directory and with root privileges run the ./sshd restart command.
In others unix flavors you have to use a service command. Please refer to your OS specification.
6) And now. am I in?
So let's test your new configuration, just connect through ssh as you used to and instead getting a entry password prompt you should be able to get directly to the shell.
$ ssh user@server.com
 |
| http://www.zenovations.com/manual/images/2/28/Ssh-login-final.gif |
