Change from SSH Password-Based authentication to SSH Key-Based authentication

Aknot

Aknot

Hi,

I want to move from password based authentication to key based authentication in SSH, and some questions arise.

I tested to generate a public and private keys in Windows, with cmd prompt and with puttygen.
I'm want to use a password for my public key (if this is important for my questions).

1. Why am I getting two different formats of the private key, does it matter which one i use?

Example of generated key in cmd prompt
(This one IS using my name at the end)

Code: 
ssh-rsa AAAAB3NzaC1yc2EAAAADddddsdfserDeqjjBgAXYrTGdqCj6HkgYI0C0437QFZxLfJv3f/9vM4Kla5CcalzQnkBp8CmV4lXXF++xz0IxdAE06GVmAAvZNFX2USSKb1WdK+8u0CJ7B4bJn598N3HfbBt15HtbuWGPz6nF7rtwk01kV2VDJgvpdWdD/wqasdfdffat2WMgWvTKbhWM99Wz10IHSASJDQoradlkZ0JePkvFhVStT2rPEvjyYwVfMVBk8ioQnLoiH0OKSnLzSEUasdafdsaadfw333QdXQLhur/fLEehA5byztJbUQrojgGe6+tOpEAOibNf0+xRQY8XYTNg42RhEmnkTEW97lXL35v84dTJ1kitMNHKBJaWzqVyLB3HLGG+ASDasdsvTvljo0i6Rpsj/gci0gzZJseI33mB1BGRFFra+jBGUaPUzdafVGTL3d2402u3xcjqqbOUQYaOhqwjG6nmH0PPQksAbOWz2z7dRoXCx04CxlhmpuzGX3LxNucNQGE= per andersson@PERANDERSSON

Generated in puttygen
(This one IS NOT using my name at the end)

Code: 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20210515"
AAAAB3NzaC1yc2EAAAABJQAAAQEA4ccdRMj8Kh1G7HRXeVf+/4pFNxnttvDsSi7A
UZJkOxgc3CApTpY+xaAAADEVrxMEXLUTOeyt59d9jWqyUKwlFBAlTMpVySuppx5f
LHRnZKFla3cjBnCnUsiLKg6s3asddfew34Lkj8wQIw9Zy8psHCmAmw0k/zWsgTty
myVeeC/pwz9zh4CIzUg7me4UYjWKWV16Y8+3HyyURy6ni88dAFzeT+SoAJ7pdO0+
9lXA//q23O5hq9D56ROU/19/hm7MBXqZ56xTt4+h+qVE3vTyzzi07xkgZtYXDweR
YuQ/C5wm/icMvWWRVg2BsAwrMEJ6pFMijApY5dssygZYdFutLw==
---- END SSH2 PUBLIC KEY ----

2. When moving the key into ~/.ssh/authorized_keys - must the key string be on one single line without any line breaks or new lines?

3. Can I use use password and key based authentication simultaneous when setting this up? I'm afraid to lock my self out.

4. Does SFTP work in SSH when disabling password authentication ChallengeResponseAuthentication no in sshd_config?

Thank you,
 
Aknot said:
1. Why am I getting two different formats of the private key, does it matter which one i use?
Click to expand...
Yes. For ~/.ssh/authorized_keys use the one that's all on a single line. Not the one with BEGIN SSH2.

Aknot said:
Can I use use password and key based authentication simultaneous when setting this up?
Click to expand...
Yes. There is no need to modify sshd_config, everything is already set up for public key and/or password authentication.
 
Aknot said:
3. Can I use use password and key based authentication simultaneous when setting this up? I'm afraid to lock my self out.
Click to expand...
Take a look at ssh-copy-id(1), it does most of the job for you.

If your public key is in the default location (~/.ssh/id_*.pub) and you run ssh-copy-id somehost, then it will:
  1. log you in to somehost (asking for the password if needed),
  2. read your public key from its location,
  3. copy that key into ~/.ssh/authorized_keys onsomehost.
 
Just one thing to consider in general: While only allowing keys gives you the best possible security (given you don't "lose" your private key), it has a downside. That's simply the requirement to actually carry your private key with you to be able to do anything.

IMHO, this doesn't play well with Murphy's Law ;) At least, I had situations where I really needed to quickly fix something on my server, from an "internet-cafe" in Casablanca, and using my phone in some WiFi on Mallorca. It happens ;) If you use reasonably strong passwords, the security level should still be acceptable and all you need for access is right there in your head.

So, I won't say "don't", just giving something to think about before you do. There are always tradeoffs with any decision ;)
 
That's true, it's important to keep your private key safe. Personally, I'd only keep private keys on encrypted drives, or use private keys with a passphrase where that's not possible.

So, a mixed strategy for a password-less sshd could be: on your main machines with encrypted drives, you've got your 'regular' private keys. On unencrypted and/or mobile devices, you've got your 'travel' keys that require a passphrase. When you lose/invalidate one of those, the other can still continue to work.

But Zirias is right, of course: when you've got no device with you, and no way to get to your private key, you're hosed, and cannot access a password-less sshd.
 
mtu said:
So, a mixed strategy for a password-less sshd could be: on your main machines with encrypted drives, you've got your 'regular' private keys. On unencrypted and/or mobile devices, you've got your 'travel' keys that require a passphrase. When you lose/invalidate one of those, the other can still continue to work.
Click to expand...
That makes sense. As a possible alternative, you can use only passphrase-protected keys, but use ssh-agent(1) (putty provides a similar tool for Windows) so you only have to unlock them once per session.
 
I like to use both command line ssh and PuTTY-aware tools like WinSCP to connect from Windows 8 to remote machines, so I always generate the keys on the command line using a Windows port of ssh-keygen, which it sounds like you have already done, then convert the private key into a PuTTY-format version using the PuTTY Key Generator ( puttygen.exe) and save it as putty.ppk.

You'll end up with 3 files representing a single key pair for the Windows client machine:

id_rsa.pub (public key to be copied to each remote server)
id_rsa (private key representing this Windows client machine)
putty.ppk (same private key in PuTTY format)

If available, use ssh-copy-id to copy the public key to each remote server. If not, you can use cat and ssh itself to do the copy and set up the authorized_keys file. (Before doing this, I would log in manually and back it up first if it already exists):

cat ".ssh\id_rsa.pub" | ssh -t user@server "mkdir -p ~/.ssh && cat - >> ~/.ssh/authorized_keys && echo >> ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

For PuTTY-related things like WinSCP, first run Pageant ( pageant.exe) and select the putty.ppk file. If your security allows it, you can create a shortcut in the Startup folder to run it when Windows boots: "C:\Program Files\PuTTY\pageant.exe" "C:\Users\user\.ssh\putty.ppk"

For command-line SSH, first run ssh-agent and ssh-add with the id_rsa file instead.
 
FWIW, many (most?) desktop environments today are setup so that ssh-agent is running when you are logged in. Then all you need to do is run ssh-add(1) once, to add you ssh key(s) to the agent. (Yes, I'm assuming that you run your desktop on a real operating system, like FreeBSD.)
 
As Bruce Schneier said in CRYPTO-GRAM, April 15, 2005, "For anything that requires reasonable security, the era of passwords is over.".

Some of my hosts face the Internet. I only allow key based login, and always append this to /etc/ssh/sshd_config:
Code: 
# We need to allow root login for rsnapshot backup server
PermitRootLogin prohibit-password
# We want login via ssh with keys only...
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
If you use a keychain when logged in, you only have to unlock your private key once.
 
Well I use online banking and it relies on RSA signed certs. So there is that.
Look at our forums LetsEncrypt cert signing.
"PKCS #1 SHA-256 With RSA Encryption"

I have no choice in the algorithms used in these handshakes with my browser.
But for server to client SSH key checking you have a choice. Without a noticeable performance hit.
 
Thank you everyone for sharing your knowledge and experience. None of my friends share my interests, so I'm very grateful having you people here to ask. The FreeBSD community is really awesome.
 
You must log in or register to reply here.
Back
Top