Sunday, June 17, 2018

LInux 101 - Enable SSH key based authentication

SSH Key based authentication allows a user to login to the remote Linux server without providing the username/password. Key based authentication works with a pair of public/private keys. The public key of the client is stored in ~/.ssh/authorized_keys on the server. The private key is kept in the client machine.

The following are the steps of authentication process:

a. User starts the SSH process by specifying key pair to be used. Then the client machine sends the SSH connection request to the server with the Key ID.

b. The server checks its ~/.ssh/authorized_keys and try to find the public key with the Key ID. Once the Key is found, the server will generate a random number and encrypts this number with the found public key.

c. The client machine decrypts the message sent by the server with its private key and obtain the random number.

d. The client machine will calculate a MD5 hash value with the "obtained random number + the session key" and send this MD5 value back to server.

(Noted: this "obtained random number + the session key" value will also be used to encrypt the communication messages between client and server later on.)

e. The server will calculate the MD5 value of "obtained random number + the session key" and compare it with the one received from the client. If they are matching, the SSH request is granted.

The follow will describe the steps of configuring the SSH key based authentication:

Step 1: Create SSH keys on the client machine

#mkdir -p $HOME/.ssh
#chmod 0700 $HOME/.ssh
#cd ~/.ssh

# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
b3:7b:be:1a:7f:66:c9:01:ea:28:f4:36:09:ec:6e:3e root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|          .      |
|   .    S. .     |
|    +   .o  .    |
|   o o +o  . o   |
|    E * .+. *    |
|   +o+ .o++=     |

After this step, we will have the private key and public key:

$HOME/.ssh/id_rsa– private key.

$HOME/.ssh/ – public key.

Step 2: Copy the public key to your remote SSH server

[root@localhost ~]# ssh-copy-id root@
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@'s password: (here is the remote SSH server login password)

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@'"
and check to make sure that only the key(s) you wanted were added.

Step 3: Initial the SSH session from the client machine by specifying the key to be used

specifc the prviate key (~/.ssh/id_rsa) to be used:

ssh -i ~/.ssh/id_rsa root@ 

SSH key based authentication is widely used. In my previous post "
Network Automation 02 - Ansible Play book for FTP server file synchronisation
", we use key based authentication for the "rsync".

No comments:

Post a Comment

NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HA...