SSH authentication using a client certificate
First off, I know that there are a lot of tutorials already, explaining how to set up client certificate authentication on OpenSSH driven machines. I recently updated the server this blog runs on and had to search for a manual again, though.
For future reference I wrote this article so I don’t have to consult Dr. Google every time.
Here it goes.
Keypair generation and SSH server setup
First off — a disclaimer. The goal of this article is to secure your server. Password authentication will not be available afterwards. If you lose your private key and don’t have physical access to your machine (i.e. a VPS), you’ll probably have no way of logging on to your server again.
We assume you’re logged in on the box you’d like to get client key authentication set up on. We’re planning on setting up a 2048-bit RSA key pair. At first, we manually set up the directory structure:
root@box:~$ mkdir .ssh root@box:~$ chmod 0700 .ssh root@box:~$ cd .ssh
We proceed to creating a key pair using
root@box:~/.ssh$ ssh-keygen -b 2048 -t rsa -f ./id_rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa. Your public key has been saved in ./id_rsa.pub. The key fingerprint is: de:ad:be:ef:f0:00:de:af:ba:be:00:13:33:37:c0:de root@box The key's randomart image is: +--[ RSA 2048]----+ | ..o | | . o | | . E o| | . .o| | S . + o| | . . = = | | . . = + .| | = = + . | | . +.*. | +-----------------+
As you can see, you’re prompted for a passphrase which can be empty but shouldn’t. If someone gets his/her hands on your private key they can use it to access your machine.
By default the SSH server expects the keys to reside in
.ssh/authorized_keys of any user’s home directory (as defined with the
AuthorizedKeysFile directive in
/etc/ssh/sshd_config), so we’ll have to rename the public key:
root@box:~/.ssh$ mv id_rsa.pub authorized_keys
Adjusting the SSH server’s configuration
On Debian distributions, the SSH server’s configuration file resides in
/etc/ssh/sshd_config. There are a few adjustments necessary in this configuration:
# By default, this directive is commented out # on Debian distros. AuthorizedKeysFile %h/.ssh/authorized_keys # This turns password authentication OFF PasswordAuthentication no # Disable Pluggable Authentication Module interface UsePAM no
I save myself the troubles to hint on the necessity to create backups of any configuration files.
It’s done. All you have to do now, is restart the SSH server:
root@box:~/.ssh$ /etc/init.d/ssh restart Restarting OpenBSD Secure Shell server: sshd.
Gone are the times now for
auth.log entries like these:
Jul 17 19:42:39 host sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.108.85.xxx user=root Jul 17 19:42:41 host sshd: Failed password for root from 218.108.85.xxx port 53721 ssh2