SSH Public Key Authentication

SSH Public Key Authentication

Putty and Pageant
see also http://docs.google.com/Doc?id=dfxjbxcc_12hc8k38

-----------------------------------------------------------------------------------
On the SSH Server
Verify that the following settings are defined in /etc/ssh/sshd_config

#Protocol 2,1
Protocol 2
#AddressFamily any
ListenAddress 192.168.0.10 # substitute correct IP here

HostKey /etc/ssh/id_dsa # Defines your private key name

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

MaxStartups 5

# no default banner path
Banner /etc/ssh/banner

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
--------------------------------------------------------------------------------

Verify that there are no settings in /etc/ssh/ssh_config that prevent PubkeyAuthentication:

i.e. you should not see
PubkeyAuthentication no in the file anywhere

--------------------------------------------------------------------------------

On Windows - Use puttygen to generate a SSH-2 DSA key and save the public and private keys.

YOU must then copy the public key directly from the puttygen key window and paste it directly into file called ~/.ssh/authorized_keys on the remote linux box (There can be no extra white space or newline characters in the file!)

chown user.user authorized_keys
chmod 755 .ssh
chmod 644 authorized_keys

On Unix

$ ssh-keygen -t dsa -b 1024 -f /home/bb/.ssh/id_dsa

### note that you can change the properties ############

# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa So you could add something like ~/.ssh/servername_dsa
#### in /etc/ssh/ssh_config ########################
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): leave blank
Enter same passphrase again: leave blank
Your identification has been saved in /home/localuser/cron/id_dsa.
Your public key has been saved in /home/localuser/cron/id_dsa.pub.
The key fingerprint is:
2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 localuser@localhost

Now we have a key in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension). Chmod 600 on the id_dsa file.

This key will not work until we put the public portion (id_dsa.pub) into the 'authorized_keys' file on remotehost, specifically the one for remoteuser:

/home/remoteuser/.ssh/authorized_keys

chmod 644 on authorized_keys

Use scp to copy the file to the remotehost:

$ scp /home/localuser/cron/id_dsa.pub remoteuser@remotehost:/home/remoteuser/

SSH to the remotehost:

$ ssh remoteuser@remotehost

Make sure the necessary directory and files exist to authorize connections with this key:

$ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 755 .ssh ; fi
$ mv localhost-rsync-key.pub .ssh/
$ cd .ssh/
$ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 644 authorized_keys ; fi
$ cat localhost-rsync-key.pub >> authorized_keys



No comments: