Securing SSH Sessions The Easy Way
SSH keys
OpenSSH supports a method of authentication far more secure than keyboard-interactive password authentication using a combination of public/private key cryptography. A pair of keys is generated, one on the remote machine to authenticate you and let you in. The other is a private key to match the key on the remote machine.To generate a pair of cryptographic keys, you would use the ssh-keygen(1) utility on both the machine you intend to log in to, and the machine you intend to log in from. For example;
ssh-keygen -t rsa
The -t option specifies the type of key to be generated. Available options are dsa and rsa.
Inputting this command on either of your UNIX machines should give you an output like this:
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/example/.ssh/id_rsa.
Your public key has been saved in /home/example/.ssh/id_rsa.pub.
Setting a passphrase is highly recommended to maximize security. Good passphrases are between 10 and 30 characters long, and are not easily guessable in any way. If you do not enter a passphrase, you will be able to login to your remote system without entering any password on login.
The next step is to authorize your keys on the remote machine you intend to log in to. You can do this using a file named authorized_keys on your target machine. Copy your ~/.ssh/id_rsa.pub file onto your remote machine using scp(1)
scp ~/.ssh/id_rsa.pub example.com:.ssh/authorized_keys
Now log in to your target machine using ssh(1) with a debug level of 1
as previously shown;
ssh -v -C -c blowfish -l foo example.com
You will see debug messages like so;
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/example/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-dss blen 435
debug1: read PEM private key done: type rsa
You should then be prompted for your key passphrase (if you entered one) and then let into the system. If you didn't enter a passphrase upon generating your public/private keys, you will be passed through without having to enter any. If you encounter errors, you should check the permissions of your ~/.ssh directories on both machines.
If you wish to change your key passphrase at any time, you can do so by passing the -p flag to the ssh-keygen utility;
ssh-keygen -p