« Back to list view

ssh without login / public key authentification / key exchange

On the local machine:

  • Check if you already have a key
    • ls -l ~/.ssh/*.pub 
      • -rw-r--r-- 1 charly charly 397 Sep  4  2009 /home/charly/.ssh/id_rsa.pub
  • Otherwise create a new key
    • ssh-keygen -t rsa -b 4096 -o -a 64
    • Passphrase strongly recommended!
  • Copy your key to the remote machine:
  • If ssh-copy-id is not available you can use the following:
  •  If sshd does not allow login with password for the desired user (e.g. root) do:
    • Locally:
      • cat ~/.ssh/id_rsa.pub
      • Copy output to clipboard
    • Connect to remote system (via sudo or from a permitted ip address)
      • vi ~/.ssh/authorized_keys
      • Append a new line, paste from clipboard and save
      • chmod 600 ~/.ssh/authorized_keys

Add or change passwort of a private ssh key

  • ssh-keygen -p -f ~/.ssh/id_rsa

Restrict via autorized_keys

A very nice option is to restrict what the remote user (certificate based) can do.

  • vi /root/.ssh/authorized_keys
    • Find the line for the remote system
    • Prepend: 
      • restrict,from="123.123.123.123",command="uptime"

All options: http://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT

Lockdown user as much as possible

In some cases it may be interesting to lock down the user as much as possible:

  • Remove password:
    • passwd -l username
  • Remove login shell No, this is necessary for remote commands
    • usermod -s /usr/sbin/nologin username

 

With custom/secondary identity / certificate

Expire key in memory

Gnome: (test!)

  • gsettings set org.gnome.crypto.cache gpg-cache-ttl 300
  • gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'