Monday, June 8, 2015

SSH - Key-based Authentication

SSH has many way to authenticate user, and commonly, password based authentication is used.

Password based authentication is easy to setup and use, however, it poses a lot of security challenges.

An alternate way to log into SSH enabled system is key-based authentication. Key based authenticate makes use of public key infrastructure where a public and private key pair is used for authentication. While the private key should be held in secret by the user, the public key will be uploaded to the SSH remote server for authentication.

Below are the steps to enable key based authentication for a User A to log into remote server via SSH as User B

1. As User A, use ssh-keygen to generate a pair of authentication key without a pass phase

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/userA/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/userA/.ssh/id_rsa.
Your public key has been saved in /home/userA/.ssh/id_rsa.pub.
The key fingerprint is:
62:41:ee:b9:a4:da:ed:d8:11:a4:9f:ea:15:2a:22:7e userA@abc.example.com

2. Create a .ssh folder for User B (You will be required to log in with User B password)

$ ssh userB@abc.example.com mkdir -p .ssh
userB@abc.example.com's password:

3. Append User A new public key to User B .ssh/authorized_keys (You will be required to log in with User B password)

$ cat ~/.ssh/id_rsa.pub | ssh userB@abc.example.com 'cat >> .ssh/authorized_keys'
userB@abc.example.com's password:

4. Test key based authentication SSH login for user B (if setup successfully, no password is required to be entered)

$ ssh userB@abc.example.com
Last login: Mon Dec 21 12:31:16 2014 from abc.example.com
$