Public-key authentication is is based on the use of digital signatures. Each users have to create a pair of keys. ie public key and private key. Private key is owned by user and the public key is given to the server. When the user tries to authenticate, server check for the matching public key and sends a challenge to the user. Private key is used to authenticate the user, so never provide your private keys to others. If anyone got your private key, they can login to the server as you. So keep your private key file in a secure place and make sure that no one else has access to it.
Secure Shell (SSH) public key authentication is used for clients to acess servers without using passwords.
Steps to configure public key.
OpenSSH is the SSH software installed on the client system. The ssh -V will show the openssh details in the server.
$ ssh -V
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
If ssh is running on a non standard port, you need to put the custom port. You can provide the custom port as follows.
$ ssh -p 1111 server.test.com
or
$ ssh -oPort=1111 server.test.com
RSA key pair will be generated in the client system.Public key will be provided to the server that is to be connnected, while the private key should remain in the secured area in the client system.By default it will be in ~/.ssh/id_rsa
New keys can be generated using the command ssh-keygen
client$ mkdir ~/.ssh
client$ chmod 700 ~/.ssh
client$ ssh-keygen -t rsa
Enter passphrase
Enter same passphrase again:
File permissions should be protected to prevent other users from being able to read the key pairs.OpenSSH may refuse to support public key authentication if the file permissions are too open.
$ chmod -R 700 ~/.ssh
Public key must be copied to any servers that will be accesses by the client.Public key information to be copied should be located in the ~/.ssh/id_rsa.pub file on the client. Public key data must be appended into ~/.ssh/authorized_keys file on the servers.
First upload public key from client to server
Client$ scp ~/.ssh/id_rsa.pub root@server.test.com
Setup the public key in the server
server$ mkdir ~/.ssh
erver$ chmod 700 ~/.ssh
server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
server$ chmod 600 ~/.ssh/authorized_keys
We should always append new public key data to the authorized_keys file, as multiple public keys may be in use. Each public key entry must be on a different line
“from” statement can be used before public key entries in the ~/.ssh/authorized_keys file on the servers to limit where the client system is permitted to access the server from. Without a from limit, any client will the appropriate private key data will be able to connect to the server from anywhere. Key pair should only work, if the client connecting to the server is from a host under test.com, set from=”*.test.com” before the public key data.
server$ cat ~/.ssh/authorized_keys
from=”*.test.com” ssh-rsa AAAAB3NzaC1
Multiple hosts or addresses can be specified as comma separated values.
from=”*.test.com,,external.example.com”
If you require help, contact SupportPRO Server Admin
