Wednesday, August 24, 2016

SSH Public Key Based Authentication

why do I want to use public key authentication:-

Passwords aren't the most secure things in the world. Even if a user picks a 'secure' password that's stronger than their dog's name, the password is still susceptible to a brute-force attack. Brute force attacks via ssh against user passwords are quite common on the Internet and several prevalent worms and zombies perform automated attacks incessantly against any internet-connected host. Even a secure password is at risk to these attacks, done by hand or by worm. Allowing password access to a system with many users is an invitation for a security breach.
Additionally, if you've got accounts on a large number of hosts it's tempting to reuse the same password on more than one host to reduce the number of passwords that your fingers have to memorize. Each shared password on a remote system puts you more at risk of a brute force attack on that host's password file, and means that if one host is compromised that all your other hosts sharing that same password are significantly less safe. Heck, you could accidently "erp" your password into an IRC channel by mistake some day and then spend the rest of the afternoon finding all the systems where you've re-used that password so that you can change it before anyone figures it out. It's not fun (or so I've heard!)
Thankfully, there's a solution! OpenSSH has a robust and well-tested public key authentication system built right in. When set up properly, it's not only more secure than using passwords but it's also a lot easier to use. How often does that happen?


what does public key mean, exactly:-

Public-key authentication (or PKI -- a public key infrastructure) is an authentication method that relies on a generated public/private keypair. With PKI a special "key" is generated which has a very useful property: Anyone who can read the public half of the key is able encrypt data which can then only be read by a person who has access to the private half of the key. In this way, having access to the public half of a key allows you to send secret information to anyone with the private half, and to also verify that a person does in fact have access to the private half. It's easy to see how this technique could be used to authenticate.
As a user, you can generate a keypair and then place the public half of the key on a remote system. That remote system is then able to authenticate you, or prove that you are really you, and allow you to login just by having you demonstrate that you have access to the private half of the keypair. This is done at the protocol level inside SSH and happens automatically.
It does, however, mean that you need to protect the privacy of the private key. On a shared system where you do not have root this can be accomplished by encrypting the private key with a passphrase, which functions similarly to a password. Before SSH can read your private key in order to perform the public key authentication you'll be asked to supply the passphrase so that the private key can be decrypted. On more secure systems (like a machine where you are the only user, or a machine at your home where no strangers will have physical access) you can simplify this process either by creating an unencrypted public key (with no passphrase) or by entering your passphrase once and then caching the key in memory for the duration of your time at the computer. OpenSSH contains a tool called ssh-agent which simplifies this process.


How to setup:- 
The first thing you need to do is generate a keypair using the ssh-keygen tool which is part of OpenSSH. Windows users who use PuTTY can use the related putty-keygen.exe program in the same manner. SecureCRT has a keypair generator built in as well. Here's a log of creating a keypair:

1. log in with user and change you directory:-
[noc@noc ~]$
[noc@noc ~]$cd .ssh 
[noc@noc .ssh]$ ll
[noc@noc .ssh]$ known_hosts (you will get this file which contain all the 
public key of the remote host.

2. Create the cryptographic Key on FreeBSD/Linux /UNIX workstation, enter:-
[noc@noc .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/noc/.ssh/id_rsa):



note:- give the paraphrase you want or leave empty

[noc@noc .ssh]$ ls -l (you will see the public key as well private key)
[noc@noc .ssh]$ id_rsa : identification (private) key
                               id_rsa.pub : public key

3. Use scp to copy the id_rsa.pub to the server you want password less and secure communication:- 
[noc@noc .ssh]$scp id_rsa.pub shekhar@192.168.100.200:.ssh/authorized_keys

4. Now ssh from your server:- 
 [noc@noc ~]$ssh shekhar@192.168.100.200

this will logged in whitout prompting for password.
5.Changing the pass-phrase on workstation:-
[noc@noc ~]$ ssh-keygen -p 

1 comment:

  1. Tushar Jadhav Blog: Ssh Public Key Based Authentication >>>>> Download Now

    >>>>> Download Full

    Tushar Jadhav Blog: Ssh Public Key Based Authentication >>>>> Download LINK

    >>>>> Download Now

    Tushar Jadhav Blog: Ssh Public Key Based Authentication >>>>> Download Full

    >>>>> Download LINK 1C

    ReplyDelete