This is a quick setup to enable remote ssh access using public/private ECDSA key pairs.
For new key pairs:
If you need to generate a new ECDSA key pair, do so with the following command:
[local_user] $ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/<local_user>/.ssh/id_ecdsa):
Press Enter to confirm the default location, ~/.ssh/id_ecdsa for the newly created key pair.
Enter a passphrase, and confirm it by entering it again when prompted to do so. Don't use the same password here that you use to log in to your user account.
After this, the screen will output a key fingerprint and random art image that looks similar to this:
Your identification has been saved in /home/<local_user>/.ssh/id_ecdsa.
Your public key has been saved in /home/<local_user>/.ssh/id_ecdsa.pub.
The key fingerprint is:
fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 <local_user>@hostname
The key's randomart image is:
+--[ECDSA 256]---+
| .+ +o |
| . =.o |
| o o + ..|
| + + o +|
| S o o oE.|
| + oo+.|
| + o |
| |
| |
+-----------------+
For already existing key pairs:
Download or transfer your private key from a remote source to the local machine (client). For this example, the file is saved to the ~/Downloads directory and is called username_private_key.
Download or transfer your public key from a remote source to the local machine (client). For this example, the file is saved to the ~/Downloads directory and is called username_public_key.pub.
In this setup, the remote system is considered the server, and the local system is considered the client.
On the local client, create the .ssh directory (if it doesn't already exist) in the user's home folder.
[local_user]$ mkdir ~/.ssh
Change the permissions of the directory to rwx------ for the local user
[local_user]$ chmod 700 ~/.ssh
Now, move the downloaded private key into the ~/.ssh directory and change name to the default private key name
[local_user]$ mv ~/Downloads/username_private_key ~/.ssh/id_ecdsa
Change the permissions on the private key file to be rw------- only by the local user
[local_user]$ chmod 600 ~/.ssh/id_ecdsa
Importing the public key file to the remote system can be done in several ways. The first is transferring the public key file to the remote system via scp, then appending the contents of the public key to the authorized_keys file in the ~/.ssh directory. If the authorized_keys file doesn't exist, you can create a blank file with your favorite editor (vim).
[remote_user] $ vim authorized_keys
Copy the public key file from the local machine to the remote machine
[local_user]$ scp -P port_# ~/Downloads/username_public_key.pub remote_username@<remote_ip_address>:~/.ssh/
Then append the contents of the public key file to the authorized_keys file
[local_user]$ ssh remote_user_name@<remote_ip_address>
then
[remote_user]$ cat ~/.ssh/username_public_key.pub >> ~/.ssh/authorized_keys
You can check that the contents of the public key file were appended to the authorized_keys file by viewing both files with a text editor.
Transferring and importing the public key file to the remote system can also be done in one step with the following command
[local_user]$ ssh-copy-id -i ~/Downloads/username_public_key.pub -p port_# remote_user@<remote_ip_address>
This will create the authorized_keys file and the ~/.ssh/ directory if they don't already exist. If the authorized_keys file already exists, then this will check to see if the public key file content is already in the file and will append the public key file content to the authorized_keys file if it is not.
After either method above, restart the sshd server on the remote machine
[remote_user]$ sudo systemctl restart sshd
Last step is to add the private key identities to the local machine authentication agent.
Here, you will need to enter the passphrase of the private key file (if one was set) after issuing the ssh-add command
[local_user]$ ssh-add
Enter passphrase for /home/local_user/.ssh/id_ecdsa:
Identity added: /home/local_user/.ssh/id_ecdsa (/home/local_user/.ssh/id_ecdsa)
Now you should be able to ssh into the remote server from a local client using the public-private key pair for authentication. If the authentication works, then you will connect without being prompted for a password. If prompted for a password, key authentication is not working.
[local_user]$ ssh -p port_# remote_user@<remote_ip_address>
Last login: Mon May 14 18:19:40 2018 from 173.239.232.55
[remote_user]$
Now for some house cleaning. This is an optional step that will strictly enforce key-based authentication by disabling password authentication. To do so, open the /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
Then restart the ssh server
[remote_user]$ sudo systemctl restart sshd
Fedora 29 Reference (same process worked back to at least Fedora 26 and Ubuntu 17.04)
https://docs.fedoraproject.org/en-US/fedora/f29/system-administrators-guide/infrastructure-services/OpenSSH/#
For new key pairs:
If you need to generate a new ECDSA key pair, do so with the following command:
[local_user] $ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/<local_user>/.ssh/id_ecdsa):
Press Enter to confirm the default location, ~/.ssh/id_ecdsa for the newly created key pair.
Enter a passphrase, and confirm it by entering it again when prompted to do so. Don't use the same password here that you use to log in to your user account.
After this, the screen will output a key fingerprint and random art image that looks similar to this:
Your identification has been saved in /home/<local_user>/.ssh/id_ecdsa.
Your public key has been saved in /home/<local_user>/.ssh/id_ecdsa.pub.
The key fingerprint is:
fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 <local_user>@hostname
The key's randomart image is:
+--[ECDSA 256]---+
| .+ +o |
| . =.o |
| o o + ..|
| + + o +|
| S o o oE.|
| + oo+.|
| + o |
| |
| |
+-----------------+
For already existing key pairs:
Download or transfer your private key from a remote source to the local machine (client). For this example, the file is saved to the ~/Downloads directory and is called username_private_key.
Download or transfer your public key from a remote source to the local machine (client). For this example, the file is saved to the ~/Downloads directory and is called username_public_key.pub.
In this setup, the remote system is considered the server, and the local system is considered the client.
On the local client, create the .ssh directory (if it doesn't already exist) in the user's home folder.
[local_user]$ mkdir ~/.ssh
Change the permissions of the directory to rwx------ for the local user
[local_user]$ chmod 700 ~/.ssh
Now, move the downloaded private key into the ~/.ssh directory and change name to the default private key name
[local_user]$ mv ~/Downloads/username_private_key ~/.ssh/id_ecdsa
Change the permissions on the private key file to be rw------- only by the local user
[local_user]$ chmod 600 ~/.ssh/id_ecdsa
Importing the public key file to the remote system can be done in several ways. The first is transferring the public key file to the remote system via scp, then appending the contents of the public key to the authorized_keys file in the ~/.ssh directory. If the authorized_keys file doesn't exist, you can create a blank file with your favorite editor (vim).
[remote_user] $ vim authorized_keys
Copy the public key file from the local machine to the remote machine
[local_user]$ scp -P port_# ~/Downloads/username_public_key.pub remote_username@<remote_ip_address>:~/.ssh/
Then append the contents of the public key file to the authorized_keys file
[local_user]$ ssh remote_user_name@<remote_ip_address>
then
[remote_user]$ cat ~/.ssh/username_public_key.pub >> ~/.ssh/authorized_keys
You can check that the contents of the public key file were appended to the authorized_keys file by viewing both files with a text editor.
Transferring and importing the public key file to the remote system can also be done in one step with the following command
[local_user]$ ssh-copy-id -i ~/Downloads/username_public_key.pub -p port_# remote_user@<remote_ip_address>
This will create the authorized_keys file and the ~/.ssh/ directory if they don't already exist. If the authorized_keys file already exists, then this will check to see if the public key file content is already in the file and will append the public key file content to the authorized_keys file if it is not.
After either method above, restart the sshd server on the remote machine
[remote_user]$ sudo systemctl restart sshd
Last step is to add the private key identities to the local machine authentication agent.
Here, you will need to enter the passphrase of the private key file (if one was set) after issuing the ssh-add command
[local_user]$ ssh-add
Enter passphrase for /home/local_user/.ssh/id_ecdsa:
Identity added: /home/local_user/.ssh/id_ecdsa (/home/local_user/.ssh/id_ecdsa)
Now you should be able to ssh into the remote server from a local client using the public-private key pair for authentication. If the authentication works, then you will connect without being prompted for a password. If prompted for a password, key authentication is not working.
[local_user]$ ssh -p port_# remote_user@<remote_ip_address>
Last login: Mon May 14 18:19:40 2018 from 173.239.232.55
[remote_user]$
Now for some house cleaning. This is an optional step that will strictly enforce key-based authentication by disabling password authentication. To do so, open the /etc/ssh/sshd_config
PasswordAuthentication options as follows: PubkeyAuthentication yes
PasswordAuthentication no
Then restart the ssh server
[remote_user]$ sudo systemctl restart sshd
Fedora 29 Reference (same process worked back to at least Fedora 26 and Ubuntu 17.04)
https://docs.fedoraproject.org/en-US/fedora/f29/system-administrators-guide/infrastructure-services/OpenSSH/#
No comments:
Post a Comment