Differences
This shows you the differences between two versions of the page.
— | linux:misc:ssh_keys [2021/12/21 14:21] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Setup SSH public/ | ||
+ | SSH (Secure Shell) can be set up with public/ | ||
+ | |||
+ | Here is how to generate the SSH Version 2 keys: | ||
+ | |||
+ | * Type ssh-keygen -t dsa for DSA or ssh-keygen -t rsa -b 4096 for RSA into shell | ||
+ | * Just press enter to leave the default location and no passphrase. | ||
+ | * Now, copy your public key component located in ~/.ssh (id_dsa.pub or id_rsa.pub – whatever you created) to the remote machine in ~/ | ||
+ | |||
+ | Create DSA or RSA key pair. | ||
+ | <code bash Creating the DSA key> | ||
+ | su@www:~$ ssh-keygen -t dsa | ||
+ | Generating public/ | ||
+ | Enter file in which to save the key (/ | ||
+ | Created directory '/ | ||
+ | Enter passphrase (empty for no passphrase): | ||
+ | Enter same passphrase again: | ||
+ | Your identification has been saved in / | ||
+ | Your public key has been saved in / | ||
+ | The key fingerprint is: | ||
+ | 1d: | ||
+ | The key's randomart image is: | ||
+ | +--[ DSA 1024]----+ | ||
+ | | .+*+*o+| | ||
+ | | o=* *o| | ||
+ | | .o+E+ o| | ||
+ | | . .+. . | | ||
+ | | S . | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | +-----------------+ | ||
+ | </ | ||
+ | <code bash Creating the RSA key> | ||
+ | su@www:~$ ssh-keygen -t rsa -b 4096 | ||
+ | Generating public/ | ||
+ | Enter file in which to save the key (/ | ||
+ | Enter passphrase (empty for no passphrase): | ||
+ | Enter same passphrase again: | ||
+ | Your identification has been saved in / | ||
+ | Your public key has been saved in / | ||
+ | The key fingerprint is: | ||
+ | 80: | ||
+ | The key's randomart image is: | ||
+ | +--[ RSA 4096]----+ | ||
+ | | . | ||
+ | | . * = | | ||
+ | |. X B . | | ||
+ | | = @ o . | | ||
+ | |. * B | ||
+ | | . = . | | ||
+ | | . E | | ||
+ | | | | ||
+ | | | | ||
+ | +-----------------+ | ||
+ | </ | ||
+ | When the key is generated, copy it to the target machine using either of the two commands: | ||
+ | <code bash> | ||
+ | ssh-copy-id user@123.123.123.123 | ||
+ | cat ~/ | ||
+ | </ | ||
+ | Where ‘user’ is the remote systems existing user and ‘123.123.123.123’ is the remote systems IP. The first command will copy all generated keys, but the second command must be run separately for each generated key. | ||
+ | |||
+ | ===== Deciding on which key pair to use ===== | ||
+ | |||
+ | * DSA (Digital Signature Algorithm) | ||
+ | * RSA (Rivest-Shamir-Adleman) | ||
+ | |||
+ | DSA is faster in signing, but slower in verifying. A DSA key of the same strength as RSA (1024 bits) generates a smaller signature. A RSA 512 bit key has been cracked, but only a 280 DSA key. Also note that DSA can only be used for signing/ | ||
+ | |||
+ | ===== Using different keys on different hosts ===== | ||
+ | Create multiple keys and create ~/ | ||
+ | <code bash> | ||
+ | Host server1 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host server2 | ||
+ | IdentityFile ~/ | ||
+ | </ | ||
+ | |||
+ | ===== Prevent users from loging in using password, and disable root ssh login ===== | ||
+ | <code bash| To prevent login without password> | ||
+ | sudo vim / | ||
+ | #Find ChallengeResponseAuthentication and set to no: | ||
+ | ChallengeResponseAuthentication no | ||
+ | |||
+ | #Find PasswordAuthentication set to no | ||
+ | PasswordAuthentication no | ||
+ | |||
+ | #Find UsePAM and set to no: | ||
+ | UsePAM no | ||
+ | |||
+ | #Find PermitRootLogin and set to no: | ||
+ | PermitRootLogin no | ||
+ | </ | ||
+ | |||
+ | ===== Prevent users from logging in, and allow only scp into chroot directory. | ||
+ | <code bash| / | ||
+ | Subsystem sftp internal-sftp | ||
+ | Match Group sftponly | ||
+ | ChrootDirectory / | ||
+ | ForceCommand internal-sftp | ||
+ | </ | ||
+ | |||
+ | Create / | ||
+ | <code bash> | ||
+ | mkdir -p / | ||
+ | chmod -R 0775 /chroot | ||
+ | chown -R root:root /chroot | ||
+ | chown -R user:user / | ||
+ | </ | ||
+ | Create a group ' | ||
+ | ===== FAQ: ===== | ||
+ | |||
+ | Q: I follow the exact steps, but ssh still ask me for my password!\\ | ||
+ | A: Check your remote .ssh directory. It should have only your own read/ | ||
+ | % chmod 700 ~/.ssh | ||