Wednesday, April 2, 2008

Login to Secure Shell Using Key Authentication

Secure Shell (SSH) is the industry standard encryption protocal for accessing remote server and executing commands in standard shell but in a secure way. SSH is doing a better job protecting the login account from sniffers, way better than its ancestor 'Telnet' which was transfering login account username and password in clear text for all to see. In fact SSH is not only protecting login account by encryption but it is actually encrypting the whole session so that even if sniffers spy on your session they will not be able to decrypt it.

SSH login account is not the only way of authentication, there is SSH Keys authentication. Having an SSH server configured to accept key only authentication is better than server accepting passwords for authentication cause the later is vulnerable to dictionary attacks. So the most secure way to access a remote server is by using key authentication SSH. And that's what I am going to write a note about now.

First we need to make sure that our local system having ssh installed.
$ sudo apt-get install openssh-client
and make sure than ssh server is installed on the server
sudo apt-get install openssh-server
sudo /etc/init.d/sshd start
SSH Key generation
We need to generate a pair of keys, on public for the server to encrypt the data and a private key, which is the only key that could decipher the encrypted data, and this private key is by definition should be kept private. There is many secure algorithm for encryption with different degree of encryption strength. There is DSA and RSA, as far as I know DSA is the standard encryption for the USA government, DSA keys has a 1024 size limit, whereas RSA is unlimited .I chose to use RSA key with a 2048 length, here are the steps.
$ ssh-keygen -v -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ibrahim/.ssh/id_rsa): /home/ibrahim/.ssh/ibrahim_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ibrahim/.ssh/ibrahim_rsa.
Your public key has been saved in /home/ibrahim/.ssh/ibrahim_rsa.pub.
The key fingerprint is:
66:d2:cc:7b:6a:62:f9:f5:c6:ef:69:fc:7b:87:0d:46 ibrahim@ibrahim
$ chmod 600 /home/ibrahim/.ssh/ibrahim_rsa
$ scp /home/ibrahim/.ssh/ibrahim_dsa.pub ibrahim@myremote.server.com:/home/ibrahim/.ssh
The latest scp command is named secure copy, which is a part of the ssh package, it is a secure remote copy command.

on remote server we should do the following.
$ cat /home/ibrahim/.ssh/ibrahim_rsa.pub > /home/ibrahim/.ssh/authorized_keys
You will be asked for the login password on remote before the copying commences. The file will be copied to login user home directory on remote (/home/ibrahim in that case).

Now, let's login to remote server using the password to configure the sshd server to disable password login and enable keys.
PermitRootLogin no
#Disable Login password
#PasswordAuthentication no
ChallengeResponseAuthentication no
#Allow forwarding yes
AllowTcpForwarding no
  • Uncomment 'PasswordAuthentication no' line only after making sure that the key authentication is working properly.
  • Disabling root login is recommended anyway, though not useful after disabling login password.
  • Allow forwarding is not recommended for multi user hosting envirnoment where keys could be exposed. Anyway, we should only allow it if we intend to forward keys from server to server but keep all our keys on the local machine, which is what I exactly want to do.
Now, let's try login using the keys.
$ ssh -i /home/ibrahim/.ssh/ibrahim_rsa ibrahim@myremote.server.com
you should be asked to approve connecting to the new server, and whither you trust it, answer yes, that's because we are connecting to the remote server to the first time.

Hopefully you should now have access to the remote server shell. Now, edit the sshd config file and disable login by password by uncommenting 'PasswordAuthentication no'.

It is recommended to protect the keys with a passphrase. it is straightforward to do so. In fact you will be asked to provide a passphrase to your private key during key generation and you can skip it if you want. In case you did skip it you can lock it again with a passphrase using the following.
$ ssh-keygen -p
Then it will prompt to put the key file path and you should enter then the password which must be more than 5 chrs.

Of course using keys is not only useful for security reasons, but also for not asking for password every time you use ssh. But thanks to ssh-agent we could save ourselves a few keystrokes, and more importantly use ssh in automated scripts without interrupting the script to prompt for passwords.

SSH Agent
$ eval `ssh-agent`
$ ssh-add /home/ibrahim/.ssh/ibrahim_rsa
$ ssh root@myremote.server.com
We first ran the ssh agent, which is actually a service. then use ssh-add to add the key, them ssh the remote server with only the user name and the remote server address, without providing the key, and if you have protected the key with passphrase you will be asked for the passphrase when you add it. The ssh-agent help in opening a session so we can use ssh to access remote server without giving any keys or password.

No comments:

How can you work with a JSON value if you know nothing about it?

I have talked about the difficulty of typing certain JSON values coming from some APIs. The JSON is just very complicated. When I do that,...