Thursday, July 2, 2009

SSH Public Key Authentication and OS X

In most cases people just use SSH the good old fashioned way, they login using a password and usually to the root account. Now there's nothing wrong with this method, it's hands down more secure then using something like Telnet to access remote boxes, however I want to point out a few things you may want to consider even if you've never had a box compromised.

By using just password authentication even with a huge AlphaNum3r1c#p4ssw0rd you're allowing anyone from anywhere the ability to potentially Brute Force your password, gain access to your system(s), and do whatever the hell they want. Even more so if you allow logging in to the root account, because knowing a good username makes Brute Forcing a password just that much easier.

When you setup a Public/Private Key combo with the server(s) you access you're providing 2-part (or two-factor) authentication by providing something you know with something you have. This method is much more secure since you physically have to have the matching side of your key to authenticate.

To setup Public Key Authentication you'll need to generate a key pair (Public/Private) and then share the Public half with any servers you connect to.
  • Open Terminal and "cd ~/.ssh", then "ssh-keygen -t dsa -b 1024"
  • The default location of /Users/(your username)/.ssh/id_dsa is correct, hit enter
  • Now provide a passphrase for the key, this will be used as the part you know. Make sure it's a good one as you can store it in your Keychain so you don't have to type it everytime.
  • id_dsa is your Private key, id_dsa.pub is your Public key for sharing.
  • Next copy your shiny new 1024-bit DSA Public key to the server, "scp id_dsa.pub user@myremotehost:~/id_dsa.pub"
  • Now login to the remote server and insert the key data into SSH, either in ~/.ssh/authorized_keys or /etc/sshd_config directly "cat id_dsa.pub >> ~/.ssh/authorized_keys"
  • Now that you have your Public key in the authorized_keys file you can safely delete your remote copy of it, if you want to make keep it there make sure permissions of the id_dsa.pub are secure and set to owner only "chmod 700 id_dsa.pub" the same goes for authorized_keys, check it with "ls -l".
  • Now you want to logout of your remote server and log back in and verify everything works as it should. You should get a prompt for your passphrase this time and not the regular password.
  • If you can successfully login using your key then you're ready to disable password based authentication by opening your sshd_config and setting the option "PasswordAuthentication no" and restarting sshd.
The default Public Key location on most servers is: ~.ssh/authorized_keys

The default Private Key location on OS X is: ~.ssh/id_dsa

The next steps are optional but some like to disable Password Authentication, so the server only uses Public Key, personally I like to keep Password Auth there as a backup in case I lose my Private key, combined with my previous guide on Securing SSH with IPtables I can sleep at night. And there is no reason why you shouldn't have a secure encrypted USB flash drive like an IronKey on your keys that you carry with you wherever you go, so put your Private Key on there that way wherever you go you have your "keys" with you..

References:
http://matthewayo.blogspot.com/2008/06/securing-ssh-with-iptables-on-openwrt.html
http://sial.org/howto/openssh/publickey-auth/

I hope you find this guide helpful.

~Matt ajx7qcrndm
Posted by Matt at 8:34 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)