Scribd Logo
Upload

Welcome to Scribd!

  • RH124 - ch10s03

    Uploaded by

    felip
    6 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views4 pages

    RH124 - ch10s03

    Uploaded by

    felip

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Configure SSH Key-based Authentication

    Objectives
    Configure a user account to use key-based authentication to log in to remote systems securely without a password.

    SSH Key-based Authentication


    You can configure your account for passwordless access to SSH servers that enabled key-based authentication, which is based on public key
    encryption (PKI).

    To prepare your account, generate a cryptographically related pair of key files. One key is private and held only by you. The second key is your related
    public key, which is not secret. The private key acts as your authentication credential, and it must be stored securely. The public key is copied to your
    account on servers that you will remotely access, and verifies your use of your private key.

    When you log in to your account on a remote server, the remote server uses your public key to encrypt a challenge message and send it to your SSH
    client. Your SSH client must then prove that it can decrypt this message, which demonstrates that you have the associated private key. If this
    verification succeeds, then your request is trusted, and you are granted access without giving a password.

    Passwords can be easily learned or stolen, but securely stored private keys are harder to compromise.

    SSH Keys Generation


    Use the ssh-keygen command to create a key pair. By default, the ssh-keygen command saves your private and public keys in
    the ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files, but you can specify a different name.

    [user@host ~]$ ssh-keygen


    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter
    Created directory '/home/user/.ssh'.
    Enter passphrase (empty for no passphrase): Enter
    Enter same passphrase again: Enter
    Your identification has been saved in /home/user/.ssh/id_rsa.
    Your public key has been saved in /home/user/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:vxutUNPio3QDCyvkYm1 user@host.lab.example.com
    The key's randomart image is:
    +---[RSA 2048]----+
    | |
    | . . |
    | o o o |
    Warning
    During new ssh-keygen command use, if you specify the name of an existing pair of key files, including the default id_rsa pair, you
    overwrite that existing key pair, which can be restored only if you have a backup for those files. Overwriting a key pair loses the original
    private key that is required to access accounts that you configured with the corresponding public key on remote servers.

    If you cannot restore your local private key, then you lose access to remote servers until you distribute your new public key to replace the
    previous public key on each server. Always create backups of your keys, if they are overwritten or lost.

    Generated SSH keys are stored by default in the .ssh subdirectory of your home directory. To function correctly, the private key must be readable and
    writable only by the user that it belongs to (octal permissions 600). The public key is not secure, and anyone on the system might also be able to read it
    (octal permissions 644).

    Share the Public Key


    To configure your remote account for access, copy your public key to the remote system. The ssh-copy-id command copies the public key of the SSH
    key pair to the remote system. You can specify a specific public key with the ssh-copy-id command, or use the default ~/.ssh/id_rsa.pub file.

    [user@host ~]$ ssh-copy-id -i .ssh/key-with-pass.pub user@remotehost


    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    user@remotehost's password: redhat
    Number of key(s) added: 1

    Now try logging into the machine, with: "ssh 'user@remotehost'"


    and check to make sure that only the key(s) you wanted were added.

    After you place the public key, test the remote access, with the corresponding private key. If the configuration is correct, you access your account on
    the remote system without being asked for your account password. If you do not specify a private key file, then the ssh command uses the
    default ~/.ssh/id_rsa file if it exists.

    Important
    If you configured a passphrase to protect your private key, then SSH requests the passphrase on first use. However, if the key
    authentication succeeds, then you are not asked for your account password.

    [user@host ~]$ ssh -i .ssh/key-with-pass user@remotehost


    Enter passphrase for key '.ssh/key-with-pass': your_passphrase
    ...output omitted...
    [user@remotehost ~]$
    When you log out of a session that used an ssh-agent key manager, all cached passphrases are cleared from memory.

    Basic SSH Connection Troubleshooting


    SSH can appear complex when remote access with key pair authentication is not succeeding. The ssh command provides three verbosity levels with
    the -v, -vv, and -vvv options, which respectively provide increasing debugging information during ssh command use.

    The next example demonstrates the information that is provided when using the lowest verbosity option:

    [user@host ~]$ ssh -v user@remotehost


    OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Reading configuration data /etc/ssh/ssh_config.d/01-training.conf
    debug1: /etc/ssh/ssh_config.d/01-training.conf line 1: Applying options for *
    debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
    ...output omitted...
    debug1: Connecting to remotehost [192.168.1.10] port 22.
    debug1: Connection established.
    ...output omitted...
    debug1: Authenticating to remotehost:22 as 'user'
    ...output omitted...
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    ...output omitted...
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:hDVJjD7xrUjXGZVRJQixxFV6NF/ssMjS6AuQ1+VqUc4
    debug1: Server accepts key: /home/user/.ssh/id_rsa RSA SHA256:hDVJjD7xrUjXGZVRJQixxFV6NF/ssMjS6AuQ1+VqUc4
    Authenticated to remotehost ([192.168.1.10]:22) using "publickey".
    ...output omitted...
    [user@remotehost ~]$

    OpenSSH and OpenSSL versions.

    OpenSSH configuration files.

    Connection to the remote host.

    Trying to authenticate the user on the remote host.

    Authentication methods that the remote host allows.

    Trying to authenticate the user by using the SSH key.


     
    References
    ssh-keygen(1), ssh-copy-id(1), ssh-agent(1), and ssh-add(1) man pages

    You might also like