The common usages of SSH login

in Note
The common usages of SSH login

SSH is a network protocol for encrypted logins between computers.In 1995, the Finnish academic Tatu Ylonen designed the SSH protocol, which became a fundamental solution for Internet security. This article is my notes on configuring SSH logins and summarizes the common uses of SSH.

There are roughly three ways to use SSH to log in to a remote Linux server: password, key, and certificate. This post will focus on how to use these three methods of SSH login to remote Linux and will not go through the SSH principles or the underlying protocols. Furthermore, this article only discusses Linux and macOS-based SSH usage. If you want to use ssh in windows, you need third-party software support.

1. Password

Assuming you want to log in to the remote server with a user name, you can reach it with a simple command.

  $ ssh user@host

The default port for SSH is 22. if you are using another port, e.g. 233, add the parameter p.

  $ ssh user@host -p 233

The first connection will prompt that the host’s authenticity cannot be confirmed. Only public key fingerprint is known, whether to continue the connection or not.

The authenticity of host can’t be established.

RSA key fingerprint is xxxxxx # 128-bit fingerprint MD5 value.

Are you sure you want to continue connecting (yes/no)?

The remote server must publicize the public key fingerprints through a website or other method, and the user can compare them on their own to decide whether to connect.

When the remote server’s public key is accepted, it is saved in $HOME/.ssh/known_hosts without warning the next time. If it is saved in /etc/ssh/ssh_known_hosts, it takes effect for all local users.

2. Key

The principle of key login is that the user stores his public key on the remote server. When logging in, the remote server sends a random string to the user, who encrypts it with his or her private key and sends it back. The remote server decrypts it with the pre-stored public key, and if successful, it proves that the user is trustworthy and directly allows the login, no longer requiring a password.

To log in with key, you first need to check the file /etc/ssh/sshd_config, paying attention to following options.

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

Check the permissions of $HOME, $HOME/.ssh/ and authorized_keys on the remote server; otherwise the key login will be denied.

  # chown user:group $HOME/.ssh/

  $ chmod 700 $HOME/.ssh/

  $ chmod 600 $HOME/.ssh/authorized_keys

Now you can generate your own public key on local machine.

  $ ssh-keygen

When generating, it will ask if the private key needs passphrase. When it is finished, id_rsa and id_rsa.pub are generated in the folder $HOME/.ssh/, the former for the private key and the latter for the public key.

Transfer the public key to a remote server. Parameter p may be necessary:

  $ ssh-copy-id user@host -p 233

or

  $ scp -p 233 $HOME/.ssh/id_rsa.pub user@host:$HOME/.ssh/id_rsa.pub

Append the public key to the remote server authentication file:

  $ cat /home/id_rsa.pub >> ~/.ssh/authorized_keys

Don’t forget to reload sshd.service to make it works.

  # systemctl restart sshd.service

To make logging in easier, you can configure a quick login in local file $HOME/.ssh/config.

Host # alias

HostName # ip or domain of remote server

Port # ssh port

User # user name

IdentityFile # $HOME/.ssh/id_rsa

Then, you can log in using the alias in the configuration file.

  $ ssh host-alias

3. Certificate

With certificate login, user and server don’t need to know each other’s public key in advance, they only need to exchange their respective certificates to verify whether the certificate is trustworthy. And the certificate can set the validity period.

The Certificate Authority (CA) issues server certificates for trusted servers and user certificates for trusted users.

YOU NEED A CA SERVER.

STEP 1

Generate a key for the CA to issue a user certificate. This will generates a pair of keys in $HOME/.ssh: user_ca and user_ca.pub.

  $ ssh-keygen -t rsa -b 4096 -f $HOME/.ssh/user_ca -C user_ca

  • -t rsa: RSA algorithm
  • -b 4096: key is 4096 bits
  • -f $HOME/.ssh/user_ca: location and file name of the key
  • -C user_ca: a note string of the key

Generate a key for the CA to issue a server certificate. This will generates a pair of keys in $HOME/.ssh: host_ca and host_ca.pub.

  $ ssh-keygen -t rsa -b 4096 -f $HOME/.ssh/host_ca -C host_ca

STEP 2

CA issues server certificate

  # ssh-keygen -f /etc/ssh/ssh_host_rsa_key -b 4096 -t rsa

The above command generates private key ssh_host_rsa_key and public key ssh_host_rsa_key.pub in /etc/ssh.

CA then uses the key host_ca to issue the server certificate ssh_host_rsa_key-cert.pub for the public key ssh_host_rsa_key.pub.

  $ ssh-keygen -s host_ca -I host.example.com -h -n host.example.com -V +52w ssh_host_rsa_key.pub

  • -s: the key
  • -I: identity string as note
  • -h: specify the certificate is a server certificate, not a user certificate
  • -n host.example.com: the domain name of the server
  • -V +52w: the validity of the certificate, here it is 52 weeks (one year)
  • ssh_host_rsa_key.pub: server public key.

Finally, check the permission

  $ chmod 600 ssh_host_rsa_key-cert.pub

STEP 3

In local machine:

  $ ssh-keygen -f /.ssh/user_key -b 4096 -t rsa

The above command generates private key user_key and public key user_key.pub in $HOME/.ssh.

Upload public key user_key.pub to CA, then CA uses the key user_ca to issue the server certificate user_key-cert.pub for the public key user_key.pub.

  $ ssh-keygen -s user_ca -I [email protected] -n user -V +1d user_key.pub

  • -s: the key
  • -I: identity string as note
  • -n user: user name
  • -V +1d: the validity period of the certificate, here is 1 day, to force users to apply for the certificate once a day to improve security. By default, the certificate is valid forever.
  • user_key.pub: the user’s public key.

Finally, check the permission

  $ chmod 600 user_key-cert.pub

STEP 4

Send server certificate to remote server:

  $ scp $HOME/.ssh/ssh_host_rsa_key-cert.pub [email protected]:/etc/ssh/

Modify /etc/ssh/sshd_config:

  HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Reload sshd service:

  # systemctl restart sshd

STEP 5

Sent user public key to remote server:

  $ scp $HOME/.ssh/user_ca.pub [email protected]:/etc/ssh

Modify /etc/ssh/sshd_config:

  TrustedUserCAKeys /etc/ssh/user_ca.pub

Reload sshd service:

  # systemctl restart sshd

STEP 6

Send user_key-cert.pub from CA to local machine and keep it with user_key in the same folder.

STEP 7

Install CA public key to local machine. Modify the file $HOME/.ssh.ssh_known_hosts to apoend the content of host_ca.pub.

Now you can login remote server with certificate.

  $ ssh -i $HOME/.ssh/user_key [email protected]

P.S. How to revoke certificate

To revoke server certificate, delete the conetent of @cert-authority in the file known_hosts.

To revoke user certificate, create a file /etc/ssh/revoked_keys in remote server and modify sshd_config.

  RevokedKeys /etc/ssh/revoked_keys

The revoked_keys store user certificate that are no longer trusted.

  $ ssh-keygen -kf /etc/ssh/revoked_keys -z 1 $HOME/.ssh/user_key.pub

© 2024. All rights reserved.

Powered by Hydejack v9.1.6