RHEL7: Configure SSH key-based authentication
Note: This is an RHCSA 7 exam objective and an RHCE 7 exam objective.
Presentation
Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2.
Configuration Procedure
On the server1, create a user user01 with password user01:
# useradd user01
# passwd user01
Changing password for user user01.
New password: your password
Retype new password: your password
passwd: all authentication tokens updated successfully.
On the server2, create the same user with password user01:
# useradd user01
# passwd user01
Changing password for user user01.
New password: your password
Retype new password: your password
passwd: all authentication tokens updated successfully.
On the server1, connect as this new user:
# su - user01
Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):
[user01@server1 ~]$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user01/.ssh/id_rsa): return
Created directory '/home/user01/.ssh'.
Enter passphrase (empty for no passphrase): return
Enter same passphrase again: return
Your identification has been saved in /home/user01/.ssh/id_rsa.
Your public key has been saved in /home/user01/.ssh/id_rsa.pub.
The key fingerprint is:
6d:ac:45:32:34:ac:da:4a:3b:4e:f2:83:85:84:5f:d8 user01@server1.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| .o |
| ... |
| . o .o . |
|. o E . * |
| o o o S = |
| o + . + |
| .+.o . |
| .+= |
| .oo |
+-----------------+
Still on server1, copy the public key to server2.
[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com
The authenticity of host 'server2.example.com (192.168.1.49)' can't be established.
ECDSA key fingerprint is 67:79:67:88:7f:da:31:49:7b:dd:ed:40:af:ae:b6:ae.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user01@server2.example.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user01@server2.example.com'"
and check to make sure that only the key(s) you wanted were added.
On the server2, edit the /etc/ssh/sshd_config file and set the following options:
PasswordAuthentication no
PubkeyAuthentication yes
Note: Don’t hesitate to set up a virtual console access on server2, this will avoid re-installing the physical/virtual server if something goes wrong.
Restart the sshd service:
# systemctl restart sshd
Testing Time
On the server1 as user01, connect to the server2:
[user01@server1 ~]$ ssh server2.example.com
Note1: This configuration can also be done for the root account. Note2: Use -v, -vv, or -vvv options to get some debug information.
Additional Resources
Bob Cromwell wrote a series of articles about setting up SSH keys for easier and more secure authentication, setting up a SSH key-agent, easily maintaining multiples websites with SSH and ways to manage your SSH keys and identities.
Beyond the exam objectives, Scott Lowe explains how to build a bastion SSH.
Leave a comment