OpenSSH: SSH Key Exchange

Introduction link

SSH key exchange is great for logging in without having to type your password. It’s also very simple to set up.

Basic link

Server link

On the server, the user account to which the client will connect (for example root) must have the .ssh directory present:

1

mkdir .ssh

Client link

On the client, you need to generate a key pair, unless you already have one (~/.ssh/id_dsa.pub):

1

ssh-keygen -t rsa

1

ssh-keygen -t rsa -p

Then, you need to send the key to the server:

1

cat .ssh/id_rsa.pub | ssh **root**@**remote_host** "cat >> .ssh/authorized_keys"

or

1

ssh-copy-id -i ~/.ssh/id_rsa.pub root@remote-server

Now, if we connect to the server, we won’t be prompted for a password:

1

ssh **root**@**remote_host**

Change ssh key passphrase link

You can change your ssh passphrase:

1

ssh-keygen -f ~/.ssh/id_rsa -p

Complex with restrictions link

If, for example, you don’t want root to be accessible from anywhere, you need to perform a basic key exchange between the client machine and the server, then edit the following on the server:

• The OpenSSH server configuration file /etc/ssh/sshd_config:

1

PermitRootLogin without-password

• The authorized key file /root/.ssh/authorized_keys:

1

from="10.0.0.1" ssh-dss..... (the key in question)

Finally, restart OpenSSH :). Now, only the machine at 10.0.0.1 will be authorized to connect directly as root and only via the key.

If you have multiple machines or hosts to add, separate them with commas.

ssh-add link

ssh-add¹ is a tool that allows you to have an SSH private key with a passphrase and not have to type it each time, but simply once during the first use. There is also an X counterpart called ssh-askpass. It’s also possible to define a timeout:

1
2

ssh-agent
ssh-add -t 3600

So here, after an hour, you’ll need to enter the passphrase again.

FAQ link

Authentication refused: bad ownership or modes for directory link

If you encounter this type of error:

1
2
3

Authentication refused: bad ownership or modes for directory /home/client
Failed publickey for client from x.x.x.x port 57113 ssh2
Connection closed by x.x.x.x

You have permission problems in your user’s home directory. Check that it has permissions like 755. If it’s not possible to change the permissions, then you need to tell SSH to be less restrictive about permissions. You need to modify the file /etc/ssh/sshd_config and add this option:

1

StrictModes no

Disabling protocol version 1. Could not load host key link

I had this small issue, particularly with the Xen Enterprise live CD for performing P2Vs. I wanted to connect remotely to check the progress of the migration. I needed to generate SSH keys to start the server. Here’s the procedure:

1
2
3

ssh-keygen -t rsa1 -f /etc/ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -N ""
/usr/sbin/sshd

And there you go, the problem of the server with missing keys is resolved :)

I can’t change the root password and I absolutely want to connect to the machine link

Be careful with this technique because anyone will be able to connect. But for the more adventurous among you, modify these parameters:

1
2
3

PermitRootLogin yes
StrictModes no
PermitEmptyPasswords yes

Restart your SSH service, and there you go, your server is now completely insecure :)

Resources link

• How To Set Up SSH With Public-Key Authentication