Monday, July 18, 2011

SSH: Public Key Authentication with OpenSSH

SSH using Unix/Linux account’s username and password for authentication by default.  Although user name and password were encrypted during authentication session, it still suffer from dictionary attack.  The usage of public key authentication in SSH is to cover the loophole.

Public key authentication uses public key cryptography scheme for encryption operation.  It perform encryption by using a key pair of private key and public key.  Public key cryptography possess very high level of security.  The secure levels increase exponentially if using larger key length.  As the name implied, public key is known to public and private key should keep by user in secure and safe place.  Public key is generated from private key but It’s very computational costly to derive private key from public key.

In SSH, the public key stores in SSH server and SSH client use private key to gain access to the SSH service.  Choosing key length of 1024 bits or higher is common practice for SSH service.  To know more about the SSH authentication protocol, read: http://www.ietf.org/rfc/rfc4252.txt.

OpenSSH: SSH authentication

OpenSSH is a free version of SSH tools.  It was designed for OpenBSD operation system.  It has been ported to other operation system including Linux and Windows.  It has became the most common SSH tools in the market.

OpenSSH doesn’t come with fancy GUI front end.  All tools are available as console program.  The most common used tool is “ssh” in Linux or “ssh.exe” in windows.  It act as SSH client to access shell account of hos

To use SSH, type

# ssh ssh-server.example.com

Some common parameters are “-l” and “-p” that supply login user name and port number respectively.

OpenSSH: Generate Key Pair

Use ssh-keygen to generate key:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/ccy/.ssh/id_rsa.pub.
The key fingerprint is:
30:33:d4:9c:86:2d:20:3b:8a:d3:85:30:01:d9:d0:77 user@example.com
The key's randomart image is:
+--[ RSA 2048]----+
|B*. ...= .       |
|.oo+..E *        |
|  +...=o         |
|.o o   =         |
|+ .     S        |
| .               |
|                 |
|                 |
|                 |
+-----------------+
$ ls –gG .ssh
total 12
-rw------- 1 1671 Jul 19 09:05 id_rsa
-rw-r--r-- 1  408 Jul 19 09:05 id_rsa.pub

Two file were generated:  id_rsa is private key file and id_rsa.pub is public key file.  To deploy the public key for ssh server, try this:

$ cat id_rsa.pub >> authorized_keys
$ chmod 0600 authorized_keys
$ ls -gG
total 16
-rw------- 1  408 Jul 19 09:15 authorized_keys
-rw------- 1 1671 Jul 19 09:05 id_rsa
-rw-r--r-- 1  408 Jul 19 09:05 id_rsa.pub

Copy id_rsa to any SSH client that want to connect to this server via SSH.  Keep in mind that id_rsa is store in OpenSSH file format.

OpenSSH: Deploy private key

The private key generated by OpenSSH may use directly in OpenSSH client both in Windows and Linux.  No conversion is needed.  Just copy the private key file to ~/.ssh/.folder and configure ~/ssh/config to make it works for public key authentication.

OpenSSH: Disable password authentication

Once the public key authentication scheme is ready to use in real practice, you may consider disable the classic password authentication by changing /etc/sshd_config:in SSH server:

# cat /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no

Remember to restart or reload sshd service to enforce changes if the configuration has updated.

Using OpenSSH in Windows

There are some tricks using OpenSSH in Windows.  OpenSSH require an environment variable “HOME” to locate the .ssh folder that keep ssh configuration file.  A common practice is set HOME to %USERPROFILE% and create a folder .ssh in %USERPROFILE% folder.  You may keep the private key file into %HOME%\.ssh folder:

F

OpenSSH: Configuration file

The configuration for OpenSSH is usually keep in ~/ssh/config.  Here is a sample OpenSSH configuration file:

Host <server1>
IdentityFile ~/.ssh/id_dsa.home User alice Host <server2> IdentityFile ~/.ssh/id_rsa.work User bob
Port 2200

The configuration specify the private key file to use for 2 server and the user name to login if the user name is different to the account’s user name.   Server2 even specify the SSH port number to connect to server2.

More detail information about the configuration file may found here: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

ssh-agent: SSH login with key agent

ssh-agent is a program cache private key for ssh session:

$ eval `ssh-agent`
Agent pid 8896
$ set | grep -i ssh
SSH_AGENT_PID=8896
SSH_AUTH_SOCK=/tmp/ssh-Lhbzdj8980/agent.8980
$

The above script trying to start ssh-agent.  To add a ssh private key to key agent:

$ ssh-add
Enter passphrase for /home/alice/.ssh/id_rsa: <enter-passphrase>
Identity added: /c/Users/coder/.ssh/id_rsa (/home/alice/.ssh/id_rsa)
$

ssh-agent: use in Microsoft Windows environment

I haven’t found a good way to use ssh-agent with Microsoft Windows.  Using ssh-agent in windows is not a straight solution.  Some manual steps is required to make it work.

You may ssh-agent.exe using command shell or adding an entry in windows registry: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”

You should then identify the SSH_AUTH_SOCK file in %TEMP% folder and add an environment variable in your user account as follow:

g

continue with ssh-add to add private keys as usual.

Without SSH_AUTH_SOCK variable, executing ssh-add may fail with:

C:\>ssh-add
Could not open a connection to your authentication agent.

No comments: