The Internet is full of manuals on how to configure the SSH key-based authentication on a Linux server. Every time we have to do this, we were searching for additional information, because we always forget some nuances. At this time, we decided to write instruction for us and for everyone else with a small addition, which never met — about the logging key fingerprints.
To connect via SSH, you can use a pair login+password, or login+certificate. By configuring SSH key-based authentication, you will not only improve the security of the server, but also simplify your life a little. Instead of using passwords that are easy to intercept with the keyloggers, we will use RSA keys. To ensure a good level of security, it will be sufficient to use a length equal to 2048 bits key. It is desirable to store the private key and encrypted volume.
Create SSH keys for Putty
To connect via SSH to Linux server from a computer running Windows, we prefer to use PuTTy client. One of the utilities supplied with putty, is puttygen, which can be used to generate RSA and DSA keys.
Download the utility from the official website and run it.
In the PuTTy Key Generator window click on Generate button and move the mouse a little bit, until it will generate a pair of keys: public and private.
|Key passphrase||You can set a password for the private key.|
|Save public key||Button to save the public key to a file. It is placed on a remote server.|
|Save private key||Button to save the private key to a file. The key is stored on client and used to connect to the remote server.|
|SSH-2 RSA 2048||Key type and length. The default values SSH-2 RSA are suitable for our task.|
Key format, which generates puttygen, is not suitable for the openssh, which is running on my server, so copy the contents of the public key from the puttygen window. We’ve highlighted this key on the screenshot. That is the text you need to copy to the server. Also save the key in openssh format, as well as the other two by using a Save key buttons.
Setting up SSH on Linux server for authentication using certificates
In most Linux distributions that we know, the authentication using certificates and already configured. To verify this, open the SSH server’s configuration file (/etc/ssh/sshd_config) and uncomment or add this lines.
HostKey /etc/ssh/ssh_host_dsa_key PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Restart SSH server using command:
# /etc/init.d/sshd restart
Then you need to create a key file with a certificate on the server.
# mkdir ~/.ssh# chmod 0700 ~/.ssh# touch ~/.ssh/authorized_keys# chmod 0644 ~/.ssh/authorized_keys
Into the authorized_keys file insert the copied key from puttygen window. Save the file and try to connect with a certificate. It is necessary to specify the certificate in Putty under Connection -> SSH -> Auth section. Click Browse button and select the private key, saved earlier (with the extension .ppk).
We remind you that we saved public key to the server. This key can be used on a multiple servers, so there is no need to generate a new key pair for each server. The same key can be used.
Now you can connect to your server, with no need to restart the sshd service.
Just input user name (root in our case).
The presence of line «Authenticating with public key “rsa-key-20161228″» indicates that you’re successfuly authenticated using RSA key.
Logging SSH connections with certificate
As a rule, the Administrator must know when and which certificate is used to connect to the server. By default, often this information is not saved in the logs. The exception that we have noticed, is only in the CentOS 7. There, with the default settings and ssh logging level, INFO key fingerprint displayed in the log file (# cat /var/log/secure).
If you do not have the key information in the log file, you can fix it in a very simple way. In the file /etc/ssh/sshd_config change the setting:
and restart sshd service:
# /etc/init.d/sshd restart
Try to connect to the server over ssh again using the certificate and check the log:
# cat /var/log/secure
Dec 28 15:49:17 server sshd: Connection from 192.168.1.11 port 60162Dec 28 15:49:19 server sshd: Found matching RSA key: 3b:7b:2e:04:39:11:bf:5a:8f:ed:54:69:6d:24:cd:e6Dec 28 15:49:19 server sshd: Postponed publickey for root from 192.168.1.11 port 60162 ssh2 [preauth]Dec 28 15:49:19 server sshd: Found matching RSA key: 3b:7b:2e:04:39:11:bf:5a:8f:ed:54:69:6d:24:cd:e6Dec 28 15:49:19 server sshd: Accepted publickey for root from 192.168.1.11 port 60162 ssh2Dec 28 15:49:19 server sshd: pam_unix(sshd:session): session opened for user root by (uid=0)
Now the log shows the fingerprint of connected certificate and we will be able to identify the user.