Saturday, December 2, 2017

SSH Key Based Authentication






There is a big debate whether is better to use passwords or SSH keys to login on your Linux systems.
Well, in my opinion key based passwordless authentication is mandatory when you have to deal with network automation and mass configuration tasks, like Ansible scripting, or automated secure copy (scp). Is also easier than typing passwords all the time and more productive especially in large scale infrastructures. But when it comes to security things are more complicated.

First of all, a few words about SSH. SSH or secure shell is a network protocol which uses public-key cryptography to establish secure connections between a server and a client. It is commonly used in Linux and Unix systems of course, but also in most of the major cloud services.
All we need to implement this is to create a (public – private) key pair. I keep my private key secret in my system and I send my public key on the server, the algorithm matches the key and I can be authenticated. 

 Now let’s do some magic and make our machines login and send files through ssh without the use of a password. So I’m going to log in to my charming Linux Mint desktop, and then create that pair by giving 




# ssh-keygen –t rsa


Now we get an interactive prompt asking us to enter some info:

Generating public/private rsa key pair.

Enter the file in which to save the key (/home/user/.ssh/id_rsa):

Here we just pressing enter to accept this directory. Usually Linux systems keep the key-pair in the hidden ssh directory under the home directory of the user.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Here we can give a passphrase to encrypt our private key for extra security.
After that we get the funny randomart image on our terminal which indicates that our key-pair is ready.

Now if we navigate on our keystore directory we can find our key-pair


# ls –ltr /home/user/.ssh/

Id_rsa.pub is the public and id_rsa the private key accordingly.
As it said before we need to keep our private key secret, and all we have to do is to send the public key to the server we want to login. 

On the server side now, we navigate to the user profile we need to use for auto-login. On my Centos server is /home/remoteuser/.ssh/
Now there should be a file authorized keys, if not create it with 644 permissions:



#touch authorized_keys

#chmod 644 authorized_keys

Finally copy your public rsa key and paste it (plane text) inside this file. Now you must be able to login without password, try



# ssh remoteuser@mysever.local

 Enjoy
As an epilogue I can say SSH (key-only) based authentication is great in respect of security and can keep your servers unaffected from brute force attacks or man in the middle attacks.
But what happens if a private key is leaked or a client workstation gets compromised?It's pretty the same as losing the keys of your house.
So the choice is yours to decide according to your environment and your needs.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)