SSH/Public Key Authentication: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
==RSA==
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#################### CLIENT SIDE ####################
#################### CLIENT SIDE ####################
Line 57: Line 58:
ssh misc@139.59.51.80 -p 4321
ssh misc@139.59.51.80 -p 4321
# user@139.59.51.80: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
# user@139.59.51.80: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
</syntaxhighlight>
===RSA » Temp Key===
----
<syntaxhighlight lang="bash">
TMP_PUBLIC_KEY=$(mktemp -u)
TMP_PRIVATE_KEY=$(mktemp -u)
ssh-keygen -t rsa -b 4096 -C "academia@chorke.org" -N "" -q -f ${TMP_PRIVATE_KEY}
ssh-keygen -y -f ${TMP_PRIVATE_KEY} > ${TMP_PUBLIC_KEY}
export SSH_PRIVATE_KEY="$(cat ${TMP_PRIVATE_KEY})"
export SSH_PUBLIC_KEY="$(cat ${TMP_PUBLIC_KEY})"
rm ${TMP_PRIVATE_KEY} ${TMP_PUBLIC_KEY}
echo && echo "${SSH_PRIVATE_KEY}"
echo && echo "${SSH_PUBLIC_KEY}" && echo
</syntaxhighlight>
</syntaxhighlight>


==EdDSA==
==EdDSA==
  ssh-keygen -t ed25519 -C "user@rpi.chorke.org"
  ssh-keygen -t ed25519 -C "<mail.id>@chorke.org"
  ssh-keygen -t ed25519 -C "user@rpi.chorke.org" -f ~/.ssh/id_ed25519
ssh-keygen -t ed25519 -C "<mail.id>@chorke.org" -f ~/.ssh/id_ed25519
  ssh-keygen -t ed25519 -C "<mail.id>@chorke.org" -f ~/.ssh/cid.chorke.org_ed25519


  chmod 600 ~/.ssh/id_ed25519
  chmod 600 ~/.ssh/id_ed25519
  chmod 644 ~/.ssh/id_ed25519.pub
  chmod 644 ~/.ssh/id_ed25519.pub


===EdDSA » Temporary===
chmod 600 ~/.ssh/cid.chorke.org_ed25519
chmod 644 ~/.ssh/cid.chorke.org_ed25519.pub
 
===EdDSA » Temp Key===
----
----
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 74: Line 95:
ssh-keygen -y -f ${TMP_PRIVATE_KEY} > ${TMP_PUBLIC_KEY}
ssh-keygen -y -f ${TMP_PRIVATE_KEY} > ${TMP_PUBLIC_KEY}


export SSH_PRIVATE_KEY=$(cat ${TMP_PRIVATE_KEY})
export SSH_PRIVATE_KEY="$(cat ${TMP_PRIVATE_KEY})"
export SSH_PUBLIC_KEY=$(cat ${TMP_PUBLIC_KEY})
export SSH_PUBLIC_KEY="$(cat ${TMP_PUBLIC_KEY})"
rm ${TMP_PRIVATE_KEY} ${TMP_PUBLIC_KEY}
rm ${TMP_PRIVATE_KEY} ${TMP_PUBLIC_KEY}


echo && echo ${SSH_PRIVATE_KEY}
echo && echo "${SSH_PRIVATE_KEY}"
echo && echo ${SSH_PUBLIC_KEY} && echo
echo && echo "${SSH_PUBLIC_KEY}" && echo
</syntaxhighlight>
</syntaxhighlight>


Line 102: Line 123:
       PreferredAuthentications password
       PreferredAuthentications password


|}
==Immutable » Authorization » Key==
{|class='wikitable mw-collapsible'
!scope='col' colspan='3' style='width:600px'| '''Linux » Immutable » authorized_keys'''
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo chattr +i /home/academia/.ssh/authorized_keys #Immutable
sudo chattr -i /home/academia/.ssh/authorized_keys #  Mutable
</syntaxhighlight>
|}
==Playground==
{|
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'              -i /etc/ssh/sshd_config
systemctl restart ssh
EXE
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
systemctl status  ssh
EXE
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|valign='top'|
<syntaxhighlight lang="bash">
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
</syntaxhighlight>
|}
|}


== References==
== References==
{|
|valign='top'|
* [https://serverfault.com/questions/1159599/ SSH server » Ubuntu » Change the default port]
* [https://serverfault.com/questions/1159599/ SSH server » Ubuntu » Change the default port]
* [https://gist.github.com/shahedhossain/73adbb5d812786875705a26c0c174928 Fedora SSH Client Public Key Authentication]
* [https://gist.github.com/shahedhossain/73adbb5d812786875705a26c0c174928 Fedora SSH Client Public Key Authentication]
Line 110: Line 185:
* [https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md Raspberry Pi Public Key Authentication]
* [https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md Raspberry Pi Public Key Authentication]
* [[Bastion SSH Tunneling]]
* [[Bastion SSH Tunneling]]
|valign='top'|
|valign='top'|
|-
|colspan='3'|
----
|-
|valign='top'|
|valign='top'|
|valign='top'|
|}

Latest revision as of 08:31, 5 July 2025

RSA

#################### CLIENT SIDE ####################
# generating a new ssh key and adding it to the ssh client
# https://gist.github.com/shahedhossain/7d91028ba1eb9c56049ea421a12e76fd

# ssh key generation for chorke
ssh-keygen -t rsa -b 4096 -C "user@rpi.chorke.org"
# Generating public/private rsa key pair.
# Enter a file in which to save the key (/Users/user/.ssh/id_rsa): [Press enter]
# Enter passphrase (empty for no passphrase): [Type a passphrase]
# Enter same passphrase again: [Type passphrase again]

# rpi_chorke_rsa add to ~/.ssh/config
Host rpi.chorke.org
     HostName 139.59.51.80
     # PreferredAuthentications publickey
     IdentityFile ~/.ssh/rpi_chorke_rsa
     Port 4321

# copy root/misc public key to ~/.ssh/authorized_keys for each users
ssh-copy-id -i ~/.ssh/rpi_chorke_rsa.pub root@139.59.51.80 -p 4321
ssh-copy-id -i ~/.ssh/rpi_chorke_rsa.pub misc@139.59.51.80 -p 4321

#################### SERVER SIDE ####################
# for disable password authentication
# & enable public key authentication
# edit by /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

# after edit save & exit restart sshd
# to update sshd configuration
# systemctl restart sshd
service sshd restart

#################### CLIENT SIDE ####################
# root user public key
ssh root@rpi.chorke.org
# Enter passphrase for key '/Users/user/.ssh/rpi_chorke_rsa':

# misc user public key
ssh misc@rpi.chorke.org
# Enter passphrase for key '/Users/user/.ssh/rpi_chorke_rsa':

#################### CLIENT SIDE ####################
# root user password disabled
ssh root@139.59.51.80 -p 4321
# root@139.59.51.80: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

# misc user password disabled
ssh misc@139.59.51.80 -p 4321
# user@139.59.51.80: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

RSA » Temp Key

TMP_PUBLIC_KEY=$(mktemp -u)
TMP_PRIVATE_KEY=$(mktemp -u)
ssh-keygen -t rsa -b 4096 -C "academia@chorke.org" -N "" -q -f ${TMP_PRIVATE_KEY}
ssh-keygen -y -f ${TMP_PRIVATE_KEY} > ${TMP_PUBLIC_KEY}

export SSH_PRIVATE_KEY="$(cat ${TMP_PRIVATE_KEY})"
export SSH_PUBLIC_KEY="$(cat ${TMP_PUBLIC_KEY})"
rm ${TMP_PRIVATE_KEY} ${TMP_PUBLIC_KEY}

echo && echo "${SSH_PRIVATE_KEY}"
echo && echo "${SSH_PUBLIC_KEY}" && echo

EdDSA

ssh-keygen -t ed25519 -C "<mail.id>@chorke.org"
ssh-keygen -t ed25519 -C "<mail.id>@chorke.org" -f ~/.ssh/id_ed25519
ssh-keygen -t ed25519 -C "<mail.id>@chorke.org" -f ~/.ssh/cid.chorke.org_ed25519

chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

chmod 600 ~/.ssh/cid.chorke.org_ed25519
chmod 644 ~/.ssh/cid.chorke.org_ed25519.pub

EdDSA » Temp Key

TMP_PUBLIC_KEY=$(mktemp -u)
TMP_PRIVATE_KEY=$(mktemp -u)
ssh-keygen -t ed25519 -C "academia@chorke.org" -N "" -q -f ${TMP_PRIVATE_KEY}
ssh-keygen -y -f ${TMP_PRIVATE_KEY} > ${TMP_PUBLIC_KEY}

export SSH_PRIVATE_KEY="$(cat ${TMP_PRIVATE_KEY})"
export SSH_PUBLIC_KEY="$(cat ${TMP_PUBLIC_KEY})"
rm ${TMP_PRIVATE_KEY} ${TMP_PUBLIC_KEY}

echo && echo "${SSH_PRIVATE_KEY}"
echo && echo "${SSH_PUBLIC_KEY}" && echo

Too Many Auth

too many authentication failures issue
ssh -o PreferredAuthentications=password ${USER}@academia.local
ssh -o IdentityAgent=none ${USER}@academia.local
ssh -o IdentitiesOnly=yes ${USER}@academia.local

Host *.local
     IdentityAgent none
     IdentitiesOnly yes
     PreferredAuthentications password

Host 10.19.83.*
     IdentityAgent none
     IdentitiesOnly yes
     PreferredAuthentications password

Immutable » Authorization » Key

Linux » Immutable » authorized_keys 
sudo chattr +i /home/academia/.ssh/authorized_keys #Immutable
sudo chattr -i /home/academia/.ssh/authorized_keys #  Mutable

Playground

cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
systemctl restart ssh
EXE

cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
systemctl status  ssh
EXE

References

Retrieved from "https://wiki.chorke.org/index.php?title=SSH/Public_Key_Authentication&oldid=15201"