This article shows how you can go that extra mile to securing access to an OpenSSH enabled server using not passwords but by flashing a badge…
First off, I know that there are a lot of tutorials *already*, explaining how to set up client certificate authentication on OpenSSH driven machines. I [recently updated the server](/2011/07/server-updated-thanks-to-wordpress-3-2/) this blog runs on and had to search for a manual again, though.
For future reference I wrote this article so I don’t have to consult Dr. Google every time.
Here it goes.
Keypair generation and SSH server setup
—–
First off — a disclaimer. The goal of this article is to secure your server. **Password authentication will not be available afterwards.** If you lose your private key and don’t have physical access to your machine (i.e. a VPS), you’ll probably have no way of logging on to your server again.
### Keypair generation
We assume you’re logged in on the box you’d like to get client key authentication set up on. We’re planning on setting up a 2048-bit RSA key pair. At first, we manually set up the directory structure:
root@box:~$ mkdir .ssh root@box:~$ chmod 0700 .ssh root@box:~$ cd .ssh
We proceed to creating a key pair using `ssh-keygen`:
root@box:~/.ssh$ ssh-keygen -b 2048 -t rsa -f ./id_rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa. Your public key has been saved in ./id_rsa.pub. The key fingerprint is: de:ad:be:ef:f0:00:de:af:ba:be:00:13:33:37:c0:de root@box The key's randomart image is: +--[ RSA 2048]----+ | ..o | | . o | | . E o| | . .o| | S . + o| | . . = = | | . . = + .| | = = + . | | . +.*. | +-----------------+
As you can see, you’re prompted for a **passphrase** which *can* be empty but *shouldn’t*. If someone gets his/her hands on your private key they can use it to access your machine.
By default the SSH server expects the keys to reside in `.ssh/authorized_keys` of any user’s home directory (as defined with the `AuthorizedKeysFile` directive in `/etc/ssh/sshd_config`), so we’ll have to rename the public key:
root@box:~/.ssh$ mv id_rsa.pub authorized_keys
### Adjusting the SSH server’s configuration
On Debian distributions, the SSH server’s configuration file resides in `/etc/ssh/sshd_config`. There are a few adjustments necessary in this configuration:
# By default, this directive is commented out # on Debian distros. AuthorizedKeysFile %h/.ssh/authorized_keys # This turns password authentication OFF PasswordAuthentication no # Disable Pluggable Authentication Module interface UsePAM no
I save myself the troubles to hint on the necessity to create backups of any configuration files.
**It’s done.** All you have to do now, is restart the SSH server:
root@box:~/.ssh$ /etc/init.d/ssh restart Restarting OpenBSD Secure Shell server: sshd.
Gone are the times now for `auth.log` entries like these:
Jul 17 19:42:39 host sshd[1337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.108.85.xxx user=root Jul 17 19:42:41 host sshd[1337]: Failed password for root from 218.108.85.xxx port 53721 ssh2