SSH authentication using a client certificate

Strong passwords are a necessity when it comes to securing almost anything. This article shows how you can go that extra mile to securing access to an OpenSSH enabled server using not passwords but by flashing a badge…

First off, I know that there are a lot of tutorials already, explaining how to set up client certificate authentication on OpenSSH driven machines. I recently updated the server this blog runs on and had to search for a manual again, though.

For future reference I wrote this article so I don’t have to consult Dr. Google every time.

Here it goes.

Keypair generation and SSH server setup

First off — a disclaimer. The goal of this article is to secure your server. Password authentication will not be available afterwards. If you lose your private key and don’t have physical access to your machine (i.e. a VPS), you’ll probably have no way of logging on to your server again.

Keypair generation

We assume you’re logged in on the box you’d like to get client key authentication set up on. We’re planning on setting up a 2048-bit RSA key pair. At first, we manually set up the directory structure:

root@box:~$ mkdir .ssh
root@box:~$ chmod 0700 .ssh
root@box:~$ cd .ssh

We proceed to creating a key pair using ssh-keygen:

root@box:~/.ssh$ ssh-keygen -b 2048 -t rsa -f ./id_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
de:ad:be:ef:f0:00:de:af:ba:be:00:13:33:37:c0:de root@box
The key's randomart image is:
+--[ RSA 2048]----+
|          ..o    |
|           . o   |
|            . E o|
|           .   .o|
|        S   . + o|
|       .   . = = |
|        . . = + .|
|         = = + . |
|        . +.*.   |
+-----------------+

As you can see, you’re prompted for a passphrase which can be empty but shouldn’t. If someone gets his/her hands on your private key they can use it to access your machine.

By default the SSH server expects the keys to reside in .ssh/authorized_keys of any user’s home directory (as defined with the AuthorizedKeysFile directive in /etc/ssh/sshd_config), so we’ll have to rename the public key:

root@box:~/.ssh$ mv id_rsa.pub authorized_keys

Adjusting the SSH server’s configuration

On Debian distributions, the SSH server’s configuration file resides in /etc/ssh/sshd_config. There are a few adjustments necessary in this configuration:

# By default, this directive is commented out
# on Debian distros.
AuthorizedKeysFile %h/.ssh/authorized_keys

# This turns password authentication OFF
PasswordAuthentication no

# Disable Pluggable Authentication Module interface
UsePAM no

I save myself the troubles to hint on the necessity to create backups of any configuration files.

It’s done. All you have to do now, is restart the SSH server:

root@box:~/.ssh$ /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.

Gone are the times now for auth.log entries like these:

Jul 17 19:42:39 host sshd[1337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.108.85.xxx  user=root
Jul 17 19:42:41 host sshd[1337]: Failed password for root from 218.108.85.xxx port 53721 ssh2