Archive for May 2010

Use SSH Keys Instead of Passwords

I have been living and working in SSH environments for quite some time now. I even created a little bash script to help me keep track of all my connections. Today I wanted to talk about a new way (well, it’s not really new, but new to me I guess) of connecting to other Linux systems by using keys instead of passwords.

Normally when you open an SSH connection you are presented with a password request. The down side to using passwords is that if your not paying attention you can be hit with a brute force or dictionary attack. Because you allow passwords to be used there is a chance of someone gaining access. With keys only you have nothing to fear from these types of attacks.

Here is how it works. Normally you enter a password. With keys all you need to do is form the SSH connection and the keys transmit automatically. Once the keys are paired you are connected with a shell. There are two different ways of performing key pairs. The first way is just the key. No need for a passphrase. The other is a passphrased key. I will talk about both.

First is the “no passphrase key.” In this example you will create a key, upload it to the host, then every time you connect you will not be asked for a password or passphrase. Keep in mind that by doing this there are risks involved. More on that later.

To make a “no passphrase key” you need to generate a key pair. The simplest way of doing this is:

ssh-keygen -t rsa

When it asks you for the password just hit enter. You will get an output of something like this.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
52:b8:d4:fd:d3:f6:ef:46:d1:90:42:de:e2:94:f4:09 user@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|           .E  . |
|       o . o.=o. |
|      o o . =.+..|
|     . o   + o ..|
|      o S   + o .|
|       .     o ..|
|               ..|
|                o|
|               oo|

NOTE: These are test keys I generated, they won’t work after today.
This created two files. “id_rsa” and “”

Take the file and upload it to the remote system. There are several ways of doing this. You can use scp, or if you are already connected you can copy and paste the contents of the file in pico, nano, vi, vim, what ever your favorite editor it. Be sure if you use the copy and paste method you keep the entire key in one line!

For scp type:

scp @:/.ssh/

This will upload the pub file to the remote host. Once uploaded, login then navigate to ~/.ssh (your user’s home directory then to .ssh). Once there look for a file called “authorized_keys” and cat the contents of the pub file to it. If the file already exists type:

cat >> authorized_keys

If the file doesn’t exist use only one (1) “>”

For the copy and past method, cat the file to display the output. Select it. Login to the remote host. Open authorized_keys in an editor of your choice. Then paste the copied key. Make sure it stays all on one line! If you don’t it will not work. Save the file.

Once one of these two steps for implementing the key file has been completed you are good to go! You can delete the .pub file if you desire.

Now, onto part 2!

Here is where we generate passphrase keys. It’s basically the same task. When you generate a key put in a passphrase! Remember the passphrase. It is very important. Now when you login you will be prompted to enter you passphrase. This will unlock the key to be used for the connection. It should be different from your normal password.

Now, a few more little notes I want to talk about.

The problem with no passphrase keys: Without the need for a key is someone gains access to your system (like a laptop) they can gain access to any system you authorized that laptop to connect to. With passphrased keys you must type in a passphrase to authorize the key.

If you have problems make sure your ssh config is set to allow keys! Refer to your distro’s help files for more information. In the config you can also disallow passwords all together. The only way to login would be with the use the keys. The down side is if you lose your local key. If you do this method, ensure you have a backup plan. Like another computer with access keys. In Slackware Linux the lines to look for are in /etc/ssh/sshd_config

PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no

Note that it becomes a pain if you generate multiple keys for multiple machines. There are ways of doing it, but it adds longer lines to your ssh commands. You can use the same .pub file on any other remote machine you wish to connect to. I don’t know for sure if it would be considered bad practice to do so, but I don’t see what problems would truly arise.

What’s the true benefit to this instead of saving time typing a password? Security. If an attacker can’t use a password (since many users passwords are weak) it would essentially eliminate their ability to gain SSH access. What do you think if the likelihood of the attacker to guess your key. Look at id_rsa. It’s a pretty big key to guess.