SSH with PKI Authentication

2007-03-29 wilhelm.moser@demos.at

download ssh_with_pki_authentication.zip (1639 KB)

Abstract

The document describes the configuration of Linux SSHD and Public/Private Key authentication with Putty's remote console. The document does not explain the wherabouts but gives a straight ahead route to success.

 

Creating the Keys - Serverside

For demonstration purposes we use the rsa algorithm. You may use the same syntax for dsa.

Step1:
login as root at your Server.

Step2:
[root@server ~]# ssh-keygen -t rsa
[root@server ~]# Enter file in which to save the key :   yourname_rsa
[root@server ~]# Enter passphrase (empty for no passphrase):    ENTER A PASSPHRASE!!
[root@server ~]# Enter same passphrase again:                             ENTER A PASSPHRASE!!
[root@server ~]# Your identification has been saved in yourname_rsa
[root@server ~]# Your public key has been saved in yourname_rsa.pub. 
[root@server ~]# The key fingerprint is: 
 

Step3:
Please check if the directory /etc/ssh/.ssh exists. If not create it and chmod 700

[root@server ~]# cat yourname_rsa.pub >> /etc/ssh/.ssh/authorized_keys

Unfortunately the sshd uses a file, not a directory,  for the public keys, therefore we have to add the key to this standardfile.

 

Creating the Keys - Clientside

Copy yourname_rsa (the private key) to your client. Grab the attached putty and winscp package (You may use this remote directory on an USB-Stick, sessions can be stored on the stick and not in the clients registry)

With the attached puttygen.exe import yourname_rsa and save it as yourname_rsa.ppk

NOW the Key is ready to use with putty and winscp.

 

The sshd_config File

Please use this preconfigured  sshd_config File for /etc/ssh. Rename the original file to sshd_config.SRC and KEEP IT.

The configs:

restart your sshd (On RedHat systems with service sshd restart)

Connect with putty and supply your privatekey.
If authentication is possible

login as: root
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":
 

When logged in, change the settings of the /etc/sshd_config to:

#PasswordAuthentication yes
PasswordAuthentication no

# UsePAM yes
UsePAM no
 

Restart the sshd with service sshd restart

Congratulations - you are done.

 

[ top ]