Certificates are a useful way of restricting access to your SSH server because a user must have three things to log onto the server:
- Username
- Password
- Certificate
Normally they would only need to have a password and username, which can be guess at or (potentially) brute forced. Forcing the user to supply a certificate on log on means that they must also have a tangible source of identification (without the key file they cannot log in!).
Creating the key pair
Log onto the server and run ssh-keygen and you will get asked a few questions as follows (enter a passphrase):
user@host$ sudo ssh-keygen
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 95:60:c2:31:2e:94:cf:66:b6:fa:8b:b8:45:6c:dd:22 user@server The key’s randomart image is: +–[ RSA 2048]—-+ | .o+.o | | ….+ . . | | .o. o | | . o*. . | | E+o.S | | o … | | .. | | o.. | | o…o. | +—————–+This will generate two files:
- id_rsa
- id_rsa.pub
in your home directory (if you chose the defaults). They are your private and public keys respectively. The public key is the one that goes on your server and the private key is the one you use when logging into the server.
Add the public key
Now on the server run
user@server:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
user@server:~$ rm id_rsawhich adds the public key to the list of authorized keys for this user.
Activate the key based authentication on the server
To edit the config run
user@server:~$ sudo vim /etc/ssh/sshd_config
Ensure that you have the following lines uncommented and set correctly in your configuration file:
RSAAuthentication yes
PubkeyAuthentication yesIf you wish to lock non-certified logins from the server then also ensure you activate the following settings:
ChallengeResponseAuthentication no
PasswordAuthentication no UsePAM noNow reload the SSH configuration to get the new settings going:
user@server:~$ sudo /etc/init.d/ssh reload
Conversion to PuTTY
PuTTY has its own private key format and the private key you created earlier now needs to be converted, which is a very simple process. Firstly you need to download the key from the server and save it to your computer.
- Now open PuTTYgen, which comes when you install PuTTY (look in the PuTTY program files directory if there is no shortcut in the start menu).
- Click the “Load” button and point it to the private key we downloaded earlier (depending on the file extension you gave the key file you may need to adjust the file extension filter on the PuTTY load key dialogue)
- It will ask you for the passphrase you set when you were generating the certificates – enter it!
- PuTTYgen should now tell you that you it has successfully imported the certificate – click ok.
- Click the “Save private key” button and save it
Getting this to work with PuTTY
Now the new key we just saved is compatible with PuTTY we can start a new PuTTY session as usual, but don’t forget to tell PuTTY where the key file is located by looking in the Category tree menu and clicking on Connection -> SSH -> Auth. You can now click the “Browse” button and point PuTTY to the key file you just created.
Click open and a new session will load:
- Enter your username as normal
- When prompted; give the passphrase you gave when creating your key (do not make the mistake of using your linux user account password as it won’t work!)