sábado, 29 de marzo de 2014

Dropbear SSH passwordless authentication (public key authentication).

If you want to access a remote linux server over the internet using ssh and you are concerned about security, using public key authentication and disabling the password authentication its a good option.

My scenario is that I have a Raspberry PI running a raspbmc as a media-player/home-server at my home. As I wanted to access it by ssh through the internet while keeping my personal data secure, I decided to use this option, which its actually pretty easy to use.

Step 1: Generate a public/private key pair 

You will use these keys to authenticate with the server, the server will have your public key, and whenever you want to connect to it through ssh, you use your private key.

If you already have a private/key pair that you use for other server, you can skip this part (you dont need a pair of keys for each server you use).

In linux (it can be on your computer if you are using linux, or just do it on the server through ssh), run the following command:

ssh-keygen


You will be asked for:

1) A location for the key you can use any filename. This utility will create 2 files with the name that you enter, one without any extension which its your private key, and one with extension .pub which its your public key.
2) A passphrase. Its very important to pick a safe passwords, because this passphrase its what protects the key in case anyone gets your private key file. This is something awesome, because anybody that wants to login to your servers need 2 things, the private key file PLUS the passphrase. Please dont pick 123456
3) It will ask you to confirm the passphrase

Now you have the 2 files that are your private and public key.

Step 2: Set up your public key in the server

Login to your server with your user (or maybe just root if you only use root).

You need to create a new file in "~/.ssh/authorized_keys" and copy in it the content of your public key  (its the filename that you picked with the extension .pub).

This tells the ssh server which are the public keys that are authorized to login as the current user.

Step 3: Test that you can login using your private key

Logout from the server, and try log in using your private key. This depends on the ssh client that you are using, so Im not including an explanation on how to do it on each client, but a quick google search for the client that you use will do the trick. 

This is very important because on the next step you are going to disable the password authentication, so if the public key authentication method is not working before we disable the password authentication you wont be able to login to the server again.

Step 4: Disable password authentication

Dont disable until you double checked that your public key authentication is working. 

This instructions work for dropbear ssh server

You need to edit the file "/etc/xinetd.d/ssh"

Change the line:

server_args = -i

With

server_args = -i -s


Thats all, your server now only accepts ssh connections authenticated using public key authentication.


No hay comentarios:

Publicar un comentario en la entrada