Tuesday, October 4, 2016

Setting up SSH Certificates for Authentication

If you've used AWS, you know that by default EC2 instances are setup with a key pair and you are provided the SSH key file so that you can login. If you're familiar with the login command then you can skip of this next little section and move straight to the Setup section.


When logging in with SSH keys there a are a couple of things to be aware of. Ideally you shouldn't need to enter a password once you are connected to the server. This does not necessarily mean that you won't need a password still. Many times you will still want to protect the key and to do that you should set a passphrase on the key on your local machine.

In order to specify a key you can use the following command:

ssh -i ~/path/to/file user@example.com

You don't necessarily need to specify the file if it exists in your ~/.ssh directory. To make sure that it is being used then the -v option can be used.

ssh -v user@example.com

Assuming you connect with out any issues you may not need to use any options besides the users and server.


In order to get started I would actually begin I would start with the key you want to use that way once you're connected you can simply add the necessary file.

Key Creation

To create a key the below command can be used:

ssh-keygen -t rsa -b 4096 -C "user@example.com" -f ~/.ssh/<key_name>

It creates an 4096-bit RSA style key. -C refers to the common name associated with this key a lot of time this will be your personal email if it's for a personal login, or potentially the name of the server or service you are planning to act as the client which is authenticating. -f specifies the output file.

Note: Two files are actually created as a result of this command one will be simply what is specified while the other will be the same, but with .pub appended to the end of it. The first file is the private key file and the second contains the public key.

As mentioned before it is a good idea to have a passphrase on your keys so you will be prompted for one and a confirmation will also be required.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Once you hopefully entered a password something similar to the follow will display.

The key fingerprint is:
SHA256:usnNCQV8Vt6Ti/rrW3+4/IA+IibgRrJIpfuHtP53glA something@example.com
The key's randomart image is:
+---[RSA 4096]----+
|          .      |
|     .   o . .   |
|      o o . +    |
|   . E +   . o   |
|  o .   S . .    |
| o.oo  o .   .   |
|..o=+.+ .   o .. |
|  o+o.=o*o=+..++.|

Step 1 Complete!

SSHD Configuration

Now that you have you're key login to your target server. Keep in mind you will likely need to have root access to do this. Once you have the adequate permissions find your sshd configuration file. For the purpose of this tutorial I am using Oracle Linux 7, so the configuration file is located:


Verify that the following two settings are configured:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

While this isn't related specifically to setting up, it would be recommend (just make sure that you have a non-root user on this server before setting this).

PermitRootLogin no

Once your settings are configured. Restart the service using:

systemctl restart sshd.service

This system is Oracle Linux 7 and it uses systemd. If you're more familiar with init.d this provides a little bit of information about the differences.

Adding your Public Key

Now that your ssh service is restarted. You will need to reconnect with the server using your password. Once connected, make sure you are using the user you want to use with the certificate.

  1. On your local machine get ready to copy the contents of your .pub file. I usually use the cat command to print it to my console.
  2. On your target machine open or create the file ~/.ssh/authorized_keys If it already exists with a key inside start a new line. Each key should have it's own line, and should only take up a single line.
  3. Copy the contents of the .pub file on your local machine to the clipboard.
  4. Paste the value into your ~/.ssh/authorized_keys file and save it.
  5. Close the connection and specify your private key file.
  6. Follow the steps from Login section.

Finishing up

If you still want to allow password logins you are done! Congratulations!

If you want to take away password logins, then set the sshd configuration:

PasswordAuthentication no

Restart sshd and you're good to go!

Thanks for reading!

No comments: