[ale] SSH keys

[Mike Kachline]

On 11/24/05, Brandon Colbert <colbert.brandon at gmail.com> wrote:How do I
setup SSH to only accept connections from known public/private
keys that were manually created by ssh-keygen?


Looking on linuxdoc.org, I'm actually suprised there is not an HOWTO for
this.

Following steps would be on my Fedora Core 4 box. Someone correct me if I
missed a step. Note that, in this example, "serverbox" is the machine you
want to ssh into, and "clientbox" is the box (or boxes) you want to ssh
from. I am assuming you created the default name keypair of "id_dsa" and
"id_dsa.pub", but, you can create additional keypairs.

1) ssh-keygen -t dsa
2) serverbox$ cat id_dsa.pub >> $HOME/.ssh/authorized_keys
3) Copy your private key (usually "id_dsa") to "clientbox" into the
directory $HOME/.ssh/
4) serverbox$ sudo vi /etc/ssh/sshd_config
5) Look for "PasswordAuthentication", set to "No"
6) Look for "PubkeyAuthentication", set to "Yes"
7) Save changes to sshd_config
8) serverbox$ /etc/rc.d/init.d/sshd restart
9) clientbox$ ssh -v -i id_dsa -l myserverusername serverbox

If you are planning to ssh into serverbox as "root", then you may need to
also tweak the "PermitRootLogin" setting in sshd_config, though as a general
rule of practice, ssh'ing as a normal user, and *then* sudo would be a safer
route.

If you run into problems, try reading the output of "ssh -v" and likewise,
on serverbox, take a look at /var/log/secure and/or /var/log/messages. A
possible problem is that your .ssh directory is writable by others/group, or
(even worse), your home directory (or one of it's parents) is writable by
group/others. In such a case, sshd does not use your "authorized_keys" file
for fear that someone else could spoof you.


--
Mike Kachline
mike at kachline.net
http://www.kachline.net/
-------------- next part --------------
An HTML attachment was scrubbed...