linux

Configuring SSH Key-Based Authentication on Linux


The Internet is full of manuals on how to configure the SSH key-based authentication on a Linux server. Every time we have to do this, we were searching for additional information, because we always forget some nuances. At this time, we decided to write instruction for us and for everyone else with a small addition, which never met about the logging key fingerprints.

To connect via SSH, you can use a pair login+password, or login+certificate. By configuring SSH key-based authentication, you will not only improve the security of the server, but also simplify your life a little. Instead of using passwords that are easy to intercept with the keyloggers, we will use RSA keys. To ensure a good level of security, it will be sufficient to use a length equal to 2048 bits key. It is desirable to store the private key and encrypted volume.

Create SSH keys for Putty

To connect via SSH to Linux server from a computer running Windows, we prefer to use PuTTy client. One of the utilities supplied with putty, is puttygen, which can be used to generate RSA and DSA keys.

Download the utility from the official website and run it.

In the PuTTy Key Generator window click on Generate button and move the mouse a little bit, until it will generate a pair of keys: public and private.

putty key generate

Key passphraseYou can set a password for the private key.
Save public keyButton to save the public key to a file. It is placed on a remote server.
Save private keyButton to save the private key to a file. The key is stored on client and used to connect to the remote server.
SSH-2 RSA 2048Key type and length. The default values SSH-2 RSA are suitable for our task.

Key format, which generates puttygen, is not suitable for the openssh, which is running on my server, so copy the contents of the public key from the puttygen window. We’ve highlighted this key on the screenshot. That is the text you need to copy to the server. Also save the key in openssh format, as well as the other two by using a Save key buttons.

Setting up SSH on Linux server for authentication using certificates

In most Linux distributions that we know, the authentication using certificates and already configured. To verify this, open the SSH server’s configuration file (/etc/ssh/sshd_config) and uncomment or add this lines.

HostKey /etc/ssh/ssh_host_dsa_key

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

authorized keys

Restart SSH server using command:

# /etc/init.d/sshd restart

Then you need to create a key file with a certificate on the server.

# mkdir ~/.ssh# chmod 0700 ~/.ssh# touch ~/.ssh/authorized_keys# chmod 0644 ~/.ssh/authorized_keys

Into the authorized_keys file insert the copied key from puttygen window. Save the file and try to connect with a certificate. It is necessary to specify the certificate in Putty under Connection -> SSH -> Auth section. Click Browse button and select the private key, saved earlier (with the extension .ppk).

putty configuration

We remind you that we saved public key to the server. This key can be used on a multiple servers, so there is no need to generate a new key pair for each server. The same key can be used.

Now you can connect to your server, with no need to restart the sshd service.

Just input user name (root in our case).

putty SSH key-based authentication

The presence of line «Authenticating with public key “rsa-key-20161228″» indicates that you’re successfuly authenticated using RSA key.

Logging SSH connections with certificate

As a rule, the Administrator must know when and which certificate is used to connect to the server. By default, often this information is not saved in the logs. The exception that we have noticed, is only in the CentOS 7. There, with the default settings and ssh logging level, INFO key fingerprint displayed in the log file (# cat /var/log/secure).

If you do not have the key information in the log file, you can fix it in a very simple way. In the file /etc/ssh/sshd_config change the setting:

LogLevel VERBOSE

and restart sshd service:

# /etc/init.d/sshd restart

Try to connect to the server over ssh again using the certificate and check the log:

# cat /var/log/secure
Dec 28 15:49:17 server sshd[8746]: Connection from 192.168.1.11 port 60162Dec 28 15:49:19 server sshd[8746]: Found matching RSA key: 3b:7b:2e:04:39:11:bf:5a:8f:ed:54:69:6d:24:cd:e6Dec 28 15:49:19 server sshd[8746]: Postponed publickey for root from 192.168.1.11 port 60162 ssh2 [preauth]Dec 28 15:49:19 server sshd[8746]: Found matching RSA key: 3b:7b:2e:04:39:11:bf:5a:8f:ed:54:69:6d:24:cd:e6Dec 28 15:49:19 server sshd[8746]: Accepted publickey for root from 192.168.1.11 port 60162 ssh2Dec 28 15:49:19 server sshd[8746]: pam_unix(sshd:session): session opened for user root by (uid=0)

Now the log shows the fingerprint of connected certificate and we will be able to identify the user.

You may also like:

Best Linux Apps Whether it’s popular, cross-platform applications, or lesser-known apps and tools specially developed for Linux, users of the open-source operating sy...
Add, modify and delete Registry keys using Group P... The settings of most applications and a lot of Windows features do not require centralized management by using Group Policy (GPO). But you have to kno...
Linux Mint for Noobs – Getting Started Windows is easy and familiar. It has been the de facto operating system on most computers for the past twenty years or so- and for the majority of peo...