Thursday, December 10, 2009

SSH public and private key authentication

If anyone has played with ssh before, you should be quite familiar with login in with your password/passphrase to the ssh server. There is nothing wrong with this method of authentication at all as long as you have a complex password thats extremely hard to guess. However there is a more advanced method of authentication used by many professional organizations and businesses and the internet as well, known and Public key authentication. This system utilizes two keys, a public key known to everyone and is used for encryption and a private or secret key known only to the recipient of the message. In ssh, the use of the private keys are only for authentication purposes but then all of the communications are done using a negotiated symmetric key, which is a key common to both the sender and reciever of the message that is used to decrypt and encrypt the message.

SSh is commonly used for remote administering of machines, but is very common in the unix environment. As an administrator, we want to be able automate most of our tasks remotely over ssh, but the problem that arises is the password prompt screen. How can we automate a remote task if the machine we are login into is gonna ask for a password everytime we try to log on? The answer is to utilize the public and private key authentication method. You specify a private key to be used to authenticate on to the remote machine. The remote machine should have a matching public key under the logging in user account. Wants the pair of the public and private key is made, access is granted automatically withouth the use for a password/passphrase.

sshd [linux]
Putty [windows]
Puttygen [windows]

Step 1. Using puttygen, generate a 1024 bit rsa keys and save the public and private key portion to a USB key ( and mykey.ppk ).

Step 2. Copy the puiblic key ( to the unix machine into the "/root/.ssh/" folder

Step 3. Convert the puttygen public key to an openssh format.
# ssh-keygen -i -f /root/.ssh/ >

Step 4. Paste the contents of the public key into a file called authorized_keys or
# touch authorized_keys
# cat >> authorized_keys

Step 5. Using putty, enter in root@, assuming is the remote hosts ip address.

Step 6. Under the 'Connections' section in putty, goto the 'SSH' sub section then 'Auth'. Browse
for your private key (mykey.ppk) then click on open

If all went well you should be granted access to the root account without having to enter a password. If you were using a linux client, this could have been automated using bash scripts and all that is required is for you to place your private key in your local home directory in the .ssh folder, i.e, /home/user1/.ssh/

Resources/Good reading:

No comments:

Post a Comment