introductioninstalling redhatunix commandsediting filesssh
sitemapapacheftptcp/ipmisc-notesresources

OpenSSH Publickey authentication

This would most commonly be used for automated backups and scripts that need to be run from one “client” to a remote “server” via cron when typing a password is not an option.

This example is using openssh 2.9.1.  This also works on newer versions, but will not work on versions prior to 2.9.1.  If you are using RedHat 7.x and have not totally customized the installation, openssh should already be installed.  All you need to do is upgrade the existing “RPM” packages for openssh, see following instructions.

If you don’t have openssh installed already, as in a redhat 6.x installation, you need to know that openssh relies on openssl and the zlib libraries.  Download the openssh source code.  Check out the “INSTALL” file and read top to bottom.  It’s ok to install all of those files with “RPM” or with source code.  However if you install from source code.  Pay attention to the section about “pam” support.  Openssh without “pam” will not allow you to log in with password authentication.  Basically read the “INSTALL” file all you need to know to get openssh on your system is in that document. 

Anyhow this document is about publickey auth not all of the different methods to install opensshSo… on with the show.

Get the latest version first:

Go to http://www.openssh.org/portable.html

Locate the closest mirror and download the rpm’s for the version of RedHat that you are running.

Install OpenSSH:

In the directory that you downloaded the rpm’s logged in as root.

#rpm –Uvh openssh*

This will install with upgrade, verbose and print hash marks for a progress bar.  The upgrade “U” option will install if older version is not present and upgrade if present.

Create and install public keys for authentication:

This section is broken down into client and server roles.

Client:

Run ssh-keygen to create a dsa key pair logged in as the user that you want to allow public key authentication.

#ssh-keygen –b 1024 –t dsa

this will create a 1024 bit dsa key pair located in ~/.ssh/ called id_dsa and id_dsa.pub

Get the id_dsa.pub file to the server you wish to connect to using public key authentication and put it in the users home directory on the server in .ssh.

#rsyncav –e ssh ~/.ssh/id_dsa.pub insert.server.name:~/.ssh/authorized_keys2

This will copy the id_dsa.pub file to the users home directory on the server using rsync tunneled through ssh.  If you notice that the destination is “authorized_keys2”  that will copy the contents id_dsa.pub to “authorized_keys2”.  Same as doing a save as, or copying a file and renameing it in windows.

That’s it…  Try logging into the server from the client.  You should get in without using a password.

Additional Security tweaks that can be used with public key authentication cut from the sshd man page.

from="pattern-list"

             Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards).  The list may contain patterns negated by prefixing them with `!'; if the canonical host name matches a negated pattern, the key is not accepted.  The purpose of this option is to optionally increase security: RSA authentication by itself does not trust the network name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world.  This additional option makes using a stolen key more difficult (name servers and/or routers would have be compromised in addition to just the key).

Example beginning of line in authorized_keys2

from="*.niksula.hut.fi,!pc.niksula.hut.fi" beginning of key starts here…..

PermitRootLogin

             Specifies whether root can login using ssh(1).  The argument must be ``yes'', ``without-password'', ``forced-commands-only'' or ``no''. The default is ``yes''.

If this option is set to ``without-password'' password authentication is disabled for root.

If this option is set to ``forced-commands-only'' root login with key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to ``no'' root is not allowed to login.

Need to test to create an example

References used to create this document:

Man pages: sshd(8) and ssh-keygen(1)