Articles » A (Linux) Server for Software Developers » Set Up SSH for Key Authenticated Access

Set Up SSH for Key Authenticated Access

OpenSSH logoSSH, or Secure SHell provides a method of remotely accessing the Linux console (terminal). This enables computers to be administered remotely, thus eliminating the need to physically access the machine (or even have a monitor and keyboard attached to the machine full-time).

SSH for Windows Users

Accessing an SSH server from Windows is possible via Cygwin, a free package that provides a POSIX environment for Windows. Cygwin also has an X-Windows server which allows remote use of the Linux desktop. Those who wish to use X-Windows remotely on Windows should download and install Cygwin as per instructions on the X-Cygwin home-page.

Setting up a Secure SSH Server

Saying "a Secure SSH Server" sounds a bit silly since SSH stands for Secure SHell. However, whilst SSH communicates over an encrypted network link, the client machine does not necessarily have to authenticate itself. All that is required is the correct username and password, and access is granted. If a machine is accessible via the internet (allowing remote administration from anywhere in the world) then there is always the risk of ???????? As with other instructions, the following instructions are for Debian, or a similar set up. Of course, the same is possible with most other Linux distributions, but the steps will have to be adapted.

For the following steps, replace "username" with theactual usename of the user, and "hostname" with the URL (or IP address) of the server:

  • Install SSH:
apt-get update
apt-get install ssh
  • On the remote machine, create a key for each user that requires access:
ssh-keygen
<enter a passphrase when prompted> 
  • The above step should be repeated for each remote machine. Alternatively, it is okay to copy the key files from /home/username/.ssh/ (the files are id_rsa and id_rsa.pub. My advice would be to create separate keys for each remote machine and user so that compromised keys can be deleted from the server for a single machine, should that machine be compromised.
  • On the server, create directories to hold the key authorization file, that is, for every user that requires remote access (note: the following assumes that you are logged in as root):
cd /home/username
su username .ssh
chmod 700 .ssh
  • On the remote machine (or on each remote machine if there are multiple machines) copy the public key files over to the server. For multiple machines, you will have to give each key a unique name:
cd /home/username
scp .ssh/id_rsa.pub username@hostname:.ssh/id_rsa.pub
NOTE: This could also be achieved with ssh-copy-id, but Cygwin is missing this tool, so the method above is provided.
  • Add the public keys to the authorization file. For each key:
cat .ssh/id_rsa.pub >> .ssh/authorized_keys
rm .ssh/id_rsa.pub
  • Restrict access to authorized_keys:
chmod 600 .ssh/authorized_keys
  • Now modify the configuration file for the server so that it requires authorized keys for remote access. Open /etc/ssh/sshd_config and insert the following lines (it is best to uncomment the existing lines by removing the "#" character in front,and modify them):
AuthorizedKeysFile    %h/.ssh/authorized_keys
PasswordAuthentication   no
  • Restart the server:
/etc/init.d/ssh restart
  • Test that you can connect remotely; on the remote machine:
ssh username@hostname
  • It is also a good idea to test that the public key is required. This can be achieved by attempting a log in from another machine without a key, or temporarily moving the /home/username/.ssh directory elsewhere and then logging in. Such attempts should fail. If so, the SSH server is secure.
Whilst the above creates a secure server, it is important to make sure that all users protect their keys, and have stron passwords. There are also other techniques that can be used for extra security, such as is suggested on this page.




Articles » A (Linux) Server for Software Developers » Set Up SSH for Key Authenticated Access