Saturday, November 10, 2007

How to set up a secure and prompt-less login using SSH and RSA


If you use SSH to remote connect to a Linux box, either from another Linux or Windows with Putty, it’s somewhat nice to have a login that does not ask for a password and it’s still secure. Here are the steps.

1- Creating the RSA key
Go to your remote server and run the following code:

$ ssh-keygen -t rsa -C [username]

- “-t rsa” is the type of key we will be creating. You can also use DSA
- The part “-C [username]” can be left out. That only adds a username text to the end of the key for human reference.
- Make sure that you save the files to “/home/[user]/.ssh/” when it prompts you for a location.
- Do not add a passphrase when prompted. This will make the system accept the ssh connection without prompting for a password or passphrase.

The code above will have generated two files:
- id_rsa - Used by the client
- id_rsa.pub - Used by the server

2- Placing the keys on the right location
First confirm that your “/etc/ssh/sshd_config” file is pointing to the right location by finding these lines:

$ cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
AuthorizedKeysFile %h/.ssh/authorized_keys

The client key (id_rsa) should (not required as you can set an argument when opening the connection), be placed under “/home/[user]/.ssh/id_rsa” on the client computer.

The server key (id_rsa.pub) should be renamed and placed on “/home/[user]/.ssh/authorized_keys” on the SSH server (this location can be changed on the “/etc/ssh/sshd_config” file by editing the line show 2 paragraphs above). You can either rename the original file (id_rsa.pub) to “authorized_keys”, or run the code bellow to add the key to an existing file in case you already have keys for another user(s):

$ cat /home/[user]/.ssh/id_rsa.pub >> /home/[user]/.ssh/authorized_keys

3a- Opening the connection from Linux
Run the following code to connect to the server:

$ ssh[user]@[server]
Or
$ ssh[user]@[server] -i [path to id_rsa file]

I use the second code as I have different RSA keys for the different computers I connect. I have also setup these connections on my .bashrc as an alias for quicker connection (see here for a how to)

3b- Setup Putty
To setup putty to use the key is simple. See this previous post for a how to in converting the id_rsa key to .ppk.

4- Making the connection more secure
- Disable root login:

$ sudo nano /etc/ssh/sshd_config

Look for the line that says “PermitRootLogin” and make sure it says no.

PermitRootLogin no

- Change listening port

$ sudo nano /etc/ssh/sshd_config

Look for the line that say “Port 22” and change to an unused number (you can find them here)

# What ports, IPs and protocols we listen for
Port 22

- Limit login to one IP or subnet
Configure your hosts.deny to block all access via SSHD, and them configure hosts.allow to provide access only to certain rules (users, Ips, subnets, domains)

$ sudo nano /etc/hosts.deny

Add the line to the end of the file “sshd : ALL”

$ sudo nano /etc/hosts.allow

And add the line to the end of the file “sshd : [IP]”. Then run:

$ sudo /etc/init.d/ssh restart

- Use CHROOT
You can find more info here.


Vic.

1 comment:

Nysa said...

Keep up the good work.