Secure Shell, or SSH, is a cryptographic (encrypted) network protocol operating at layer 7 of the OSI Model[1:1] to allow remote login and other network services to operate securely over an unsecured network. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. [1:2]
Authenticate with SSL normally goes like this:
$ ssh email@example.com firstname.lastname@example.org's password: Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64) Last login: Fri Mar 4 14:05:21 2016 from 126.96.36.199 email@example.com:~$
The password is just a plain text and in sake of security and to make our life more easy we want to get rid of this. This guide is to to harden the authentication process with disabling the plain text password.
Assumption is that your home folder is not encrypted!!! If true, this guide doesn't work for you. The keys will be stored into the encrypted folder, which can't be read by the SSH Daemon.
1. Create local authentication SSH-Kegen (RSA) on OSX.
To share the key between your trusted system and you first need to create a local public/private key.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/username/.ssh/id_rsa): [press enter] Created directory '/Users/username/.ssh'. Enter passphrase (empty for no passphrase): [press enter] Enter same passphrase again: [press enter] Your identification has been saved in /Users/username/.ssh/id_rsa. Your public key has been saved in /Users/username/.ssh/id_rsa.pub. The key fingerprint is: ef:3e:a6:5e:62:f0:b4:c0:2f:67:ce:45:2a:74:18:7e username@username's-macbook The key's randomart image is: +--[ RSA 2048]----+ | | | o | |E . | | . o . | | oo ==S | | . = o . | | C = o | | o B =o | | o.B=o. | +-----------------+
2. Upload Generated Public Keys to the remote server
This is needed so that the server can verify your are authorized to login to the server in the future. Create remote the
.ssh folder and then copy the keys.
$ ssh firstname.lastname@example.org mkdir -p .ssh $ cat .ssh/id_rsa.pub | ssh email@example.com 'cat >> .ssh/authorized_keys'
3. Set Permissions on the remote server
It could be that there is a difference in SSH versions on servers and local system, we need to set permissions on
.ssh directory and
authorized_keys file. This to prevent later issues.
$ ssh firstname.lastname@example.org "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
Now your able to authenticate without a password using your public key
4. Testing new way to authenticate.
$ ssh email@example.com Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64) Last login: Fri Mar 25 11:34:11 2016 from 192.168.0.102 firstname.lastname@example.org:~$
5. Disable root & SSH plain text login
The main source of configuration for the SSH daemon itself is the
sshd_config file. This configuration has not much todo with the
ssh_config. The last configuration specifies client-side defaults.
$ sudo nano /etc/ssh/sshd_config
PermitRootLogin without-password to
PermitRootLogin no and uncomment the second line and change "yes" to "no"
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no