Pages

Categories

Archives

Tags

Administration advertising Business chat cloud Cloud Computing colocation design dns domains ebook First Glance getting started green hardware hostentrepreneur magazine maintenance management Marketing monitoring mysql News products rant reseller Reviews security seo servers service social network software ssl submissions support tip tutorial video virtualization vps web website welcome writers

Brought to you by:

Lagniappe Internet
Lagniappe: "a word worth traveling to New Orleans to get" Mark Twain
( but you don't have to travel )

August 19, 2009

Making SSH password-less

Posted by: Robert  :  Category: Administration

If you didn’t read yesterday’s post on changing SSHD’s port number, I suggest you start there and then come back to this. Here’s the link: http://hostentrepreneur.com/2009/08/18/changing-your-ssh-port/

I find this provides dual benefits… One, passwords are too easy to crack sometimes (or too easy to forget if you actually are one who makes them difficult to crack). And two, it actually makes ssh’ing into the server easier. What we’re going to do is generate key pairs for the server and your client, and then use that to authenticate to the server.

  1. First get a SSH session going. And like yesterday, don’t close it until I tell you.
  2. Generate the user’s keypair on the server with “keygen -t rsa”.  This will go into .ssh directory off the user’s home directory – you’ll need these to ssh to other boxes and it creates the .ssh directory for you.
  3. cd ~/.ssh
  4. Next create a keypair on the client. For putty this is done with PuTTYgen. If you use something else you’ll need to lookup how for that client.  This will create a couple of files for you… id_rsa.pub is the public key file and id_rsa.ppk is the private key.
  5. Transfer the public key to the server in user’s home/.ssh directory with a NEW NAME. Don’t overwrite anything!
  6. If a authorized_keys2 already exists you will need to cat the file onto the end with ‘cat (filename) >> authorized_keys2′   NOTE the double greater than. That means append it to the end.  If you mess this up other keys will be lost.
  7. I also recommend that if you are going to have multiple keys for the user, you edit the comment at the end of the line you just added to authorized_keys2. The comment is the portion at the end after the second space. The line’s format is (ke type)(space)(key)(space)(comment) So you’ll see something like “ssh-rsa (lots of letters and numbers) rsa-key-YYYYMMDD  where YYYYMMDD is the year month and day you made the key. It’s that last bit (and only that last bit) you can safely change.
  8. Make sure the authorized_keys2 file is readable only by you (chmod 600 or 700).
  9. If this is going to be for the root user do steps 9 -
  10. cd /etc/ssh
  11. cp sshd_config sshd_config.save
  12. vi (or vim, pico,etc) sshd_config
  13. find the PermitRootLogin  line and change it to read ‘PermitRootLogin without-password’
  14. Save/close  the file
  15. Restart sshd with ‘service sshd restart’ or ‘/etc/init.d/sshd restart’  — Remember don’t close your session until we know everything works correctly!!
  16. Start another PuTTY, and load (not start) the session
  17. On the left-hand side, select the Data Category under Connection
  18. Specify the user’s name in the Auto-login username field
  19. Again under Connection, expand out the SSH branch and select Auth
  20. Click the browse button for the Private key for authentication field and find and select the id_rsa.ppk file you created in step 4.
  21. This one has caught me a couple of times… Go back up to the Sessions branch all the way at the top left side, and click Save for the session on the right. Otherwise, you’re going to do the PuTTY side config again.
  22. Test the passwordless login… Be absolutely sure it works, before dropping that first session. If it doesn’t you NEED to restore the sshd_config.save file back to sshd_config AND restart SSHD again, undo the PuTTY changes and test that you have put it back to where you can get in again BEFORE you drop that connection.

Provided everything worked, you now have an automated login that’s using a nice long keypair and not some little password… and provided you did yesterday’s changing of SSHD port numbers, you’ve probably locked out 99+% of anyone’s chance of getting into you machine through brute force methods, so take a break and enjoy the enhanced security (well until you learn about all the other methods of getting into the machine anyway…) Seriously though, most hack attempts prey on the people that don’t take the precautions, so you’ve just dropped your chances quite a bit just through these 2 little procedures.  You’re not safe and secure, but you are a lot better off than you were 2 days ago.

About: Robert:
Robert Porter holds Oracle Certified Professional-Java 6, MCSE, A+, Net+, Project+, Security+, and multiple CIW certifications. He has been in the hosting industry for more than a decade and is founder of Lagniappe Internet L.L.C., a privately owned, completely debt free, hosting company based out of New Orleans. Robert's background includes 25+ years in programming, databases, networking and systems administration.

Leave a Reply

RSS Feed

Search


Resources

Recent Posts

Meta

Web Hosting Blogs - BlogCatalog Blog Directory
Review www.hostentrepreneur.com on alexa.com