Friday, June 14, 2013

Permissions for .ssh directory and authorized_keys file

Permissions for .ssh directory and authorized_keys file

The permission for directory .ssh should be 700. It means drwxr_xr_x
# chmod 700 ~/.ssh

The permission for file authorized_keys should be 600. 
It means -rw_____
# chmod 600 ~/.ssh/authorized_keys

Generate ssh keys

Setting up SSH public/private keys

There are two types of keys in ssh :

a) Public keys &
b) Private keys

RSA & DSA are two most popular public key cryptography algorithm.
RSA was named after the initials of its co-founders, Rivest, Shamir and Adleman.
DSA is Digital Signature Algorithm.

Difference between DSA & RSA :
DSA is faster in signing, but slower in verifying. A DSA key of the same strength as RSA (1024 bits) generates a smaller signature. An RSA 512 bit key has been cracked, but only a 280 DSA key.

Path of Public & Private keys file :
If you are root
Public key file :  /root/.ssh/id_dsa.pub or /root/.ssh/id_rsa.pub
Private key file : /root/.ssh/id_dsa or /root/.ssh/id_rsa

If you are user
Public key file :  /home/user/.ssh/id_dsa.pub or /home/user/.ssh/id_rsa.pub
Private key file : /home/user/.ssh/id_dsa or /home/user/.ssh/id_rsa

Generate Public keys : dsa

# ssh-keygen -t dsa



Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
c9:a7:51:72:2b:e1:58:be:2a:12:53:41:28:03:e2:3e root@user-To-be-filled-by-O-E-M
The key's randomart image is:
+--[ DSA 1024]----+
|+  o.            |
|= . .            |
| +   .  + o      |
|.   .  * * .     |
| E .  . S o      |
|  +      *       |
|   o    o        |
|  . .  .         |
|   . ..          |

+-----------------+

In your .ssh directory
id_dsa.pub is public key file & id_dsa is private key file.

Generate Public keys : rsa

# ssh-keygen -t rsa


Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
44:ba:dc:d2:e1:f8:27:27:db:c0:e8:e5:21:31:43:2d root@user-To-be-filled-by-O-E-M
The key's randomart image is:
+--[ RSA 2048]----+
|        .        |
|       +         |
|      E +        |
|     o O .       |
|      O S        |
|       O         |
|      o O o      |
|     . + X       |
|      . o .      |
+-----------------+



In your .ssh directory
id_rsa.pub is public key file & id_rsa is private key file

NOTE :

You need either RSA or DSA key. You do not need to generate both.


Linux server authentication without password

Log into Linux server without password :
ssh login without password :

If you log into Linux server frequently using ssh and every time it asks for password. Now you have been sick to type server's password every time, read ahead.

This process is easy as well as secure. It does not leave any loop hole in your security.

Just follow these steps to get rid of typing password.

1. Open your .ssh directory inside your home directory.
2. There should be a pub file inside it, either it is id_dsa.pub or id_rsa.pub according to your key type. If you do not have keys in the directory, generate them. Read this.
3. Now open your server's ssh directory and save your public file ( id_dsa.pub or id_rsa.pub )as filename authorized_keys inside ssh directory of server.
4. If there is already a file authorized_keys inside server's ssh directory, just copy your public file content and paste in the file authorized_keys at last.
5. Now save the file.

Bottom line is client's public file content should be saved as authorized_keys file in the server.

To do this process using command line :
There can be multiple test cases that's why I wrote the process in steps.
1. Client is a user and server is a user or client is a root and server is a user or client is a user and server is a root or client is a root and server is a root.
2. If client is a user, the path of public file is /home/username/.ssh/id_dsa.pub or /home/username/.ssh/id_rsa.pub
If client is a root, the path of public file is /root/.ssh/id_dsa.pub or /root/.ssh/id_rsa.pub
3.  If server is a user, the path of authorized_keys is /home/username/.ssh or /home/username/.ssh
If server is a root, the path of authorized_keys is /root/.ssh or /root/.ssh
4. The authorized_keys file can exist already inside .ssh directory, if you replace it with your's authorized_keys, another user who is using this non-password process will lose the facility that's why you should add your public file content inside existing authorized_keys file without removing anything.

I am giving some examples of test cases and you will understand how to do this.
Case : 1
Suppose you are user and trying to log into server as a root. There is no authorized_keys file inside .ssh directory of server. You have id_dsa.pub file in your .ssh directory.
Just run following command.
# scp /home/user/.ssh/id_dsa.pub 192.168.xx.xx:/root/.ssh/authorized_keys
Case : 2
Suppose you are user and trying to log into server as a root. There is an existing authorized_keys file inside .ssh directory of server. You have id_dsa.pub file in your .ssh directory.
Just run following command.
# scp /home/username/.ssh/id_dsa.pub 192.168.xx.xx:/root/.ssh/ak && ssh 192.168.xx.xx "cat /root/.ssh/ak >> /root/.ssh/authorized_keys"
where
192.168.xx.xx : IP of the server
id_dsa.pub : public key file on client's system

Permissions for .ssh directory and authorized_keys file
The permission for directory .ssh should be 700. It means drwxr_xr_x
# chmod 700 ~/.ssh
The permission for file authorized_keys should be 600. 
It means -rw_____
# chmod 600 ~/.ssh/authorized_keys

NOTE :
You need either RSA or DSA key. You do not need to generate both.