Introduction

If you want to stop using passwords to SSH onto your servers then certs are the way to go. When you run an application such as putty and pageant side by side then you will never have to use a username and password again. The reason to use Pageant is so as to avoid entering your private key passphrase repeatedly. Once you load the key and enter the passphrase, the agent will run in the background so all is needed is a single load of the key at the start of your day.

How to

On the client you will need to create an ssh public/private keypair either using putty or similar program on Windows:

Please see here for help with Putty configuration

Or if using Linux:

ssh-keygen -t rsa

This will create two files in your (hidden) ~/.ssh directory called: id_rsa and id_rsa.pub The first: id_rsa is your private key and the other: id_rsa.pub is your public key.

The permissions will also need to be set on the private key:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa

Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys list:

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

and finally set file permissions on the server:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

The above permissions are required if StrictModes is set to yes in /etc/ssh/sshd_config (the default).

Make sure the lines in the /etc/ssh/sshd_config file are uncommented:

RSAAuthentication yes
PubkeyAuthentication yes

Once you’ve checked you can successfully login to the server using your public/private key pair, you can disable password authentication completely by adding the following setting to your /etc/ssh/sshd_config file:

# Disable password authentication forcing use of keys
PasswordAuthentication no

 

Securing OpenSSH with Certificates on CentOS
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.