martedì 19 ottobre 2010

Secure ssh: from password to public key authentication

Disabling ssh access with password authentication is an easy way to make more secure your system.
The alternative to password is authentication with public/private key pair. This prevents some security holes like sending the password over the net or brute force attacks.
First of all generate a pair of key in the client:
ssh-keygen -t rsa
you will be prompted for files where store the keys (default is ~/.ssh/id_rsa for private key and ~/.ssh/ for public key) and for a pass-phrase to protect the private key (you will be prompted for every time you try to log to a remote host with public key authentication).
Next, upload the public key in the remote host, from the client host launch
ssh-copy-id remote-user@remote_host
This command installs the public key in the ~/.ssh/authorized_keys file of the remote-user on the remote_host. Now the client host can log in on remote_host as remote-user without typing the password, the authentication is done automatically under the hood.
Verify the correct execution of the command logging in to the remote host:
ssh remote-user@remote_host
no password should be asked.
The public key of the client can be upload to every user/host where you want to be authenticated without password.
The last step is to disable password authentication on remote_host. This is done editing /etc/ssh/sshd_config (as root user); the following lines must be present
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
Then reload the ssh configuration
/etc/init.d/ssh reload
Verify that password authentication is disabled trying to log in from another client which has not setup public key authentication. The user should be refused, on my machine the message is:
Permission denied (publickey)

Nessun commento:

Posta un commento