Setting Up ssh

Key-based Authentication

In many cases, by default, the ssh server accepts password-based authentication. However, this is not secure. In this world, there are a lot of people who attempt to login to your server by submitting a huge number of pairs of username and password (brute-force attack). Therefore, it is common to setup key based authentication, and disable password authentication.

Steps for key based authentication:

  • Prepare a pair of private and public keys on your local machine (Not VM).

  • Register the public key with the VM.

Prepare a pair of private and public keys

If your local machine does not have a directory “~/.ssh”, please make it and change its permission as follows.:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh

Please type following command on your local machine (Not VM). The keys are made in ~/.ssh . The public key is named “info0940_id_rsa.pub” and the private key is “info0940_id_rsa”.

For Mac and UNIX/Linux users:

$ ssh-keygen -f ~/.ssh/info0940_id_rsa

For Windows users (please type this in your home directory):

$ ssh-keygen -f .ssh/info0940_id_rsa

Danger

If you do not specify -f, you may OVERWRITE your old ssh key, and may lose accessibility to servers that register your key.

You can check the content of the public key by the following command.:

$ cat ~/.ssh/info0940_id_rsa.pub
ssh-rsa AAAAAAAAAAAAABBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDEFFFFFFFGGG
GGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIJJJJJJJJJJJJJKKKKKKKKKKKKKLLLLLLLLLLLLLLLLLLLLLLLLLLLL
CCCCCCCCCCCCCCCCCCCCCCCCZZZZZZZZZZZZZZZZZZZZZIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIGGGGGGGGGGGG
LLLMMMMMMMMMMMMMMMM username@local.machine

Register the public key with the VM

If your VM does not have a directory “~/.ssh”, please make it and change its permission as follows.:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh

For registering a public key, we need to edit a file named “~/.ssh/authorized_keys” on the VM. In the following example, we use “vim” as an editor but you are free to use another ones:

$ vim ~/.ssh/authorized_keys

For registering a public key, we need to add a line of the content of “info0940_id_rsa.pub” made in the local machine to the file “~/.ssh/authorized_keys”. After the edit, the content of “authorized_keys” would be like as follows.:

$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAAAAAAAAAABBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDEFFFFFFFGGG
GGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIJJJJJJJJJJJJJKKKKKKKKKKKKKLLLLLLLLLLLLLLLLLLLLLLLLLLLL
CCCCCCCCCCCCCCCCCCCCCCCCZZZZZZZZZZZZZZZZZZZZZIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIGGGGGGGGGGGG
LLLMMMMMMMMMMMMMMMM username@local.machine

Confirmation

Please type the following command on your terminal app for checking the key is properly registered. If the VM does not ask your password, it’s success. Otherwise, something is wrong.:

$ ssh -i ~/.ssh/info0940_id_rsa student@127.0.0.1 -p 6543

Disable Password Authentication

Important

In this section, we will disable password authentification to the VM. In other words, only connection with SSH key will be accepted. If you still want to connect to your VM with the “student” password, skip this section.

On your VM, please change the option “PasswordAuthentication” from yes to no in the ssh configuration file named “/etc/ssh/sshd_config”. Please use an editor you like for editing the file.:

$ sudo vim /etc/ssh/sshd_config

After the modification, the file will be like as follows.:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

After you modify the sshd config, please type the following command for restarting the ssh server.:

$ sudo service ssh restart

Please type the following command on your terminal app for checking the config is properly updated. If you see the following output, configuration is correct. If the VM asks password, something is wrong.:

$ ssh abc@127.0.0.1 -p 6543
abc@127.0.0.1: Permission denied (publickey).

The meaning of output is that the ssh server denied the access to the user named “abc” because the public key for abc is not registered. An important thing is that the server denies access without asking password. Namely, this setup eliminates the chance for brute-force attacks.

Important Info

You can give your public key to anyone. For instance, if you request a system administrator to give accessibility for private servers that disabled password authentication, the admin may ask you to send your public key.

Danger

NEVER ever give your PRIVATE key to anybody!!! If someone has your private key, he/she can login to servers which your public key is registered with and things might go terribly wrong…

TAs hear some stories that sysadmins in companies laugh at employees who send their private keys when they request access to company’s servers.