Using Public-Private Key Authentication
We're all used to entering a password to gain access to user accounts, Web accounts, and so on. Type in your username and then enter your password when prompted, and you're in. However, passwords are becoming increasingly vulnerable to cracking, shoulder surfing, and good ol' yellow sticky notes. If someone learns your password, he has access to your account. This isn't good.
Fortunately, SSH provides an alternative to traditional static passwords. SSH lets you use a mechanism called Public-key cryptography (also known as asymmetric keys) authentication.
You generate a public- and private-key pair. Anything encrypted with a public key can be decrypted only with the private key. Conversely, anyone in possession of the public key can decrypt what has been encrypted with the private key. This asymmetric relationship allows the SSH protocol to work.
How public-key authentication works
Here's how it works. The actual process is more complicated than presented, but the following is essentially correct:
You generate a public- and private-cryptographic-key pair.
Optionally, encrypt your private key with a pass phrase.
Place the public key in your remote user account.
Keep your private key on your local computer.
Use the OpenSSH client to connect to the remote SSH server.
The remote SSH server generates a random number and encrypts it with your public key.
The remote SSH server sends the encrypted random number to your OpenSSH client.
Your OpenSSH client decrypts the random number with your private key and sends the result back to the server.
If the returned random number matches the original, you're authenticated because only the private key can decrypt what has been encrypted using the public key.
Creating a OpenSSH public- and private-key pair
Now, let's try a real-world example. Start by generating the public/private key-pair.
Click the GNOME Applications menu and select AccessoriesGNOME Terminal.
Type the following and press the Enter key:
ssh-keygen -t rsa
The ssh-keygen displays the Generating public/private rsa key pair message.
Press the Enter key when you're prompted to enter a filename.
Type a pass phrase when prompted.
Longer pass phrases provide more protection. Use at least a 20-character pass phrase if you can. I recommend using a phrase you're familiar with. For instance, select a pass phrase like I'm going down to south Park.
The ssh-keygen utility displays a fingerprint of the key you just generated. Fingerprints identify your keys from fraudulent ones.
Configuring your remote account with your public key
After you create your private/public-key pair, you need to copy the public key to your remote user account and configure the account to use the public key. The public key should be placed in the authorized_keys file in the .ssh directory in your user account's home directory on the remote machine. Follow these steps:
Type the following command and press the Enter key:
scp /.ssh/id_rsa.pub username@remotemachineThe scp is another OpenSSH utility — Secure Copy — used to copy files from and to remote machines.
Log in to the remote machine.
ssh username@remotemachineCreate, if necessary, the .ssh directory.
mkdir .ssh
Change the permissions on the .ssh directory.
chmod 700 .ssh
This command gives total access to the owner (you) of the .ssh directory and denies all access to everyone else. OpenSSH requires that the files and directories it accesses have minimal access.
Insert your public key into the authorized_keys file in the .ssh directory.
cat id_rsa.pub >> .ssh/authorized_keys
Using the double greater-than symbols (>>) appends the contents of the id_rsa.pub file into the authorized_keys file if it already exists. Alternatively, this command creates the authorized_keys file if it doesn't exist and copies the contents of id_rsa.pub into it.
Change the permissions on the authorized_keys file.
chmod 600 .ssh/authorized_keys
You can now use OpenSSH public-key authentication to log in to your remote user account.
Using public-key authentication to log in to your remote account
After you copy and configure your public key to the remote user account, you can use the key-pair to log into your remote account. Follow these steps:
Type the following command in your local user account:
ssh username@remotemachineThe OpenSSH client looks in the local .ssh directory for private keys. It will find the private key you just generated (id_rsa) and use it to authenticate with the remote SSH server. Alternatively, you explicitly specify what private key to use by using the -i keyname option: ssh -i id_rsa username@remotemachine.
Type the private-key pass phrase when prompted.
You're logged in to your user account on the remote machine and you didn't have to enter a password!
Two-factor authentication provides the most secure authentication method available. Two-factor means that you must provide two factors to gain access to an account. Generally, one factor is something you physically possess, and the second factor is something you know. Commercial two-factor systems provide a physical device such as a smart card or token that requires a password or personal identification number (PIN) to work. Anyone intent on surreptitiously gaining access to your account must first steal both factors.
The OpenSSH public-key system provides two-factor authentication. Someone must steal your private key and your pass phrase to break into your user account. Stealing those factors is easier than stealing a commercial one because, by default, you store your private key in your home directory on your computer. Anyone who breaks into your computer can potentially copy your key and use a key logger to read your pass phrase. However, you can further approximate commercial two-factor systems by keeping your private key on removable media like a USB memory stick. The article "Tighter SSH Security with Two-Factor Authentication," found at http://interactive.linuxjournal.com/article/8957, describes the process in more detail.
No comments:
Post a Comment