SSH Agent and pubkey authentication

In my quest to increase security on a few servers I run that are facing the Internet, I’ve started to utilize private/public key authentication and limit which IP’s that can connect via SSH. The priv/pubkey is not new to me, in fact I’ve used it for the past ten or so years. Only that the certificate I’ve used for that time is very weak. So figured I’d do something. And I also do not like typing passwords all the time, but I want a pass phrase on my certificate. Insert SSH Agent!

Essentially, SSH Agent loads your private key, you type in the password once and then it remembers if for you. And it can be forwarded to the next server to chain it all together nicely.

I won’t do an overly detailed to-do this time, but essentially here’s what I did:

  1. Build a new certificate pair: ssh-keygen -b 4096 -t rsa -C MyKey. You will be asked to enter a password, which is recommended. In ~/.ssh you’ll find id_rsa and id_rsa.pub.
  2. Copy the contents of id_rsa.pub into your server’s ~/.ssh/authorized_keys. One key per line if there are multiple ones.
  3. Try the connection: ssh -o PasswordAuthentication=no you@yourserver. This should force the use of the keys. If all works well, you’ll get to enter the password OF YOUR KEY, not the account password. Then connect.
  4. All good? Then let’s start agent (this is preferably done in ~/.bash_profile): eval `ssh-agent`. Followed by ssh-add. You can specify which key(s) to load here, but that’s for another time. Try step #3 again, and you should pop right in, no questions asked.
  5. Good! Then let’s disable password authentication. Edit /etc/ssh/sshd_config and find PasswordAuthentication. In some cases it explicitly says “PasswordAuthentication yes”, in others it’s commented out because it’s the default. We want to uncomment this and set to NO. So: PasswordAuthentication no.
  6. Now restart SSHd, by sending “killall -HUP sshd“. There are other elegant ways to do this, but it does the trick. If your key does not let you in now, then you’re in trouble… Don’t blame me. :)
  7. Optional: In addition to this, I opt to only trust IP’s that I know.  So I added this to /etc/hosts.denysshd: ALL and to /etc/hosts.allow; sshd: [2001:123:456:789a::]/64. This makes sure that only my IPv6 range can get in. The changes to hosts.allow and hosts.deny takes immediate effect, so be careful.
  8. Should be pretty safe now :)

 

If you’re on a Windows client and use PuTTY, there are tools for this too. Use PuTTYgen to create or convert the keypair, and Pageant as the running agent. PuTTY and WinSCP will use Pageant when you try to connect, by default.