Pre-shared SSH Key

These are instructions adapted from other sources to work with openSUSE Tumbleweed and Leap.

This is a quick how to on setting up computers with pre-shared keys. This is for added security when accessing machines remotely over Secure Shell. For me, this is mostly for convenience, at least, the way I am setting it up.

A pre-shared key setup allows you to login to Secure Shell Login (SSH) to a server without the need for a password. Optionally, you can use this to allow access only to those users who can display the valid key to the server. This is generally considered the most secure way to use SSH to access remote machines.

Create your Public and Private Key Pair

Begin at the client machine from which you do your work. Open a terminal and enter this:

ssh-keygen -t rsa

If you want a passphrase along with the pre-shared key do so when prompted. If you do not want a passphrase, just press enter.

Warning: If you do not passphrase-protect your key than anyone gaining access to your client machine will automatically have access to the remote machine with this key.

This will create two files in your ~/.ssh directory:

id_rsa
id_rsa.pub

id_rsa is your private key. This one stays on your client machine.

id_rsa.pub is your public key. This key you copy to the server(s).

Copy the Public Key to Your Server(s):

Now you need to add the public key to the server or servers that you want to be able to access using the pre-shared keys. For this example, replace “user” with the targeted user name and “hostname” with the actual hostname (or IP address) of the target system. This example is using Secure Copy (SCP) to transfer the files. SCP uses the same authentication as SSH.

scp id_rsa.pub user@hostname:/home/user/

Now login to the target server using SSH and add it to the authorized_keys list:

cat id_rsa.pub >> ~/.ssh/authorized_keys
Note: Depending on whether or not you have used ssh already on the server, you may need to make the .ssh directory:
mkdir ~/.ssh
Once you’ve imported the public key, you should delete it from the server.
rm id_rsa.pub

Give it a Test Run

Now you should be able to log into the server and if you didn’t enter a passphrase for the shared key, you won’t be prompted for a password. SSH will first try to authenticate using your keys. If no keys are found or authentication fails, then SSH will attempt to use conventional password authentication.

Optionally, once you’ve checked you can successfully login to the server using your public/private key pair, you can disable password authentication altogether here:

/etc/ssh/sshd_config

As root, you will need to change

#PasswordAuthentication yes

to

PasswordAuthentication no

This configuration is considered very secure and recommended for production or personal, Internet-facing servers. You must determine whether or not you will always login from a machine where your private key is present.

Final Thoughts

Pre-shared key is a very convenient way to manage your home systems, I use this method, primarily out of convenience and ease for automating other processes. Added convenience and security is most certainly a win.

 

Advertisements