SSH and Secure Access with RSA certificate

Prerequisites:
1. Two linux systems
2. Someone who is fed up of constantly entering ssh username and password

There comes a time when you had enough of constantly entering your username and password:

user@server1:~/.ssh$ ssh user@172.31.27.99
user@172.31.27.99's password:
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 09:52:10 2016 from 172.31.100.158
user@server2:~$

Luckily there is another way using RSA certs. Here is a quick way of setting it all up:
1. On you normal/daily workstation generate pair of certificates:

user@server1:~/.ssh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): [ENTER]
Enter passphrase (empty for no passphrase): yourpass_phrase [ENTER]
Enter same passphrase again: yourpass_phrase [ENTER]
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
da:fe:08:91:5f:63:89:8f:27:74:59:c1:19:d6:9f:2c user@server1
The key's randomart image is:
+--[ RSA 2048]----+
|           .++   |
|           .o..  |
|            . ...|
|       . . + E o.|
|      o S B   .  |
|       * * .     |
|      o = o      |
|       o +       |
|        o..      |
+-----------------+
user@server1:~/.ssh$

This will generate two files id_rsa and id_rsa.pub –> those are your private and public keys.

2. Copy your public key to the destination server

user@server1:~/.ssh$ ssh-copy-id user@172.31.27.99
user@172.31.27.99's password: 
Now try logging into the machine, with "ssh 'user@172.31.27.99'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

if you go to your destination server and check the ~/.ssh/authorized_keys you will find that it has exactly the same content as your id_rsa.pub key:

root@server2:/home/user/.ssh# ls -al
total 12
drwx------ 2 user user 4096 Apr 23 10:03 .
drwxr-xr-x 3 user user 4096 Apr 23 09:13 ..
-rw------- 1 user user  394 Apr 23 10:03 authorized_keys
root@server2:/home/user/.ssh# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyN1oh1L9dVBOGgb5QVSoJ4Cls/l+uCSjwUeH7Jr2NYyTz/0VeLQSDmvAOlyhy/S26KY8wT41z9coT+O8TDWo4F+Wvz1M27fYvscaAQO3cY5iIIEHTV0BpORDHTKvHd/YnP0CVitE65sbTssUGApG9iHyE/yTDpl+g7xe/9NwSxjPYSn2ZGxcG0vWkIUPLFProDK5VPSYo4FI27s5F+uqsWK60Ey+SuotPp6BDIKqe6jnNWjmxYbPnVWyU4Qb0DiQNWX1HmmaxehknnJM7NZWIIOzY8kSsTC8hdxcZu1IGHO6N9IDn+bQUUz7OSzfzPwDvadchScD3vzUuRdGq10d1 user@server1
root@server2:/home/user/.ssh#
user@server1:~/.ssh$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyN1oh1L9dVBOGgb5QVSoJ4Cls/l+uCSjwUeH7Jr2NYyTz/0VeLQSDmvAOlyhy/S26KY8wT41z9coT+O8TDWo4F+Wvz1M27fYvscaAQO3cY5iIIEHTV0BpORDHTKvHd/YnP0CVitE65sbTssUGApG9iHyE/yTDpl+g7xe/9NwSxjPYSn2ZGxcG0vWkIUPLFProDK5VPSYo4FI27s5F+uqsWK60Ey+SuotPp6BDIKqe6jnNWjmxYbPnVWyU4Qb0DiQNWX1HmmaxehknnJM7NZWIIOzY8kSsTC8hdxcZu1IGHO6N9IDn+bQUUz7OSzfzPwDvadchScD3vzUuRdGq10d1 user@server1
user@server1:~/.ssh$

No to test that this bit is working fine:

user@server1:~/.ssh$ ssh user@172.31.27.99
Enter passphrase for key '/home/user/.ssh/id_rsa': yourpass_phrase [ENTER]
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 09:52:56 2016 from 172.31.100.158
user@server2:~$

You can of course leave the passphrase empty and on this stage you are all done. However if you have set the passphrase do not despair as there is a way of telling your machine to remember it for you.

3. Using ssh-agent to remember the passphrase
DESCRIPTION
ssh-agent is a program to hold private keys used for public key authentication
(RSA, DSA, ECDSA). The idea is that ssh-agent is started in the beginning of
an X-session or a login session, and all other windows or programs are started
as clients to the ssh-agent program. Through use of environment variables the
agent can be located and automatically used for authentication when logging in
to other machines using ssh(1).

I tend to add this line to .bashrc file under my user profile:
eval `ssh-agent -s`

then check that it is running:

user@server1:~$ ps aux | grep ssh-agent
user      6088  0.0  0.0  12480   332 ?        Ss   10:22   0:00 ssh-agent -s
user      6090  0.0  0.0   7812   608 pts/0    S+   10:22   0:00 grep ssh-agent

Now that the authentication agent is running last remaining thing to do is to add the private key identities to the agent:

user@server1:~$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa: yourpass_phrase [ENTER]
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
user@server1:~$ 

Now for the rest of the time that we remain log in to our normal/daily workstation passphrases that we might have setup on hundreds of servers will be forwarded so we no longer need to type them in. To verify/list the added fingerprints of all identities currently represented by the agent just run:

user@server1:~$ ssh-add -l
2048 da:fe:08:91:5f:63:89:8f:27:74:59:c1:19:d6:9f:2c /home/user/.ssh/id_rsa (RSA)
user@server1:~$ ssh user@172.31.27.99
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 10:07:14 2016 from 172.31.100.158
user@server2:~$

if you are using the same username on both ends, you can skip the user name:

user@server1:~$ ssh 172.31.27.99
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 10:07:14 2016 from 172.31.100.158
user@server2:~$

4.Troubleshooting

If you get stuck and something isn’t working the way it should be connect using the verbose switch -v (or if you want to go nuts go extra verbose -vvv):

user@server1:~$ ssh 172.31.27.99 -v
OpenSSH_6.0p1 Debian-4+deb7u4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 172.31.27.99 [172.31.27.99] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u4
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc
debug1: Host '172.31.27.99' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 172.31.27.99 ([172.31.27.99]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Sat Apr 23 10:34:20 2016 from 172.31.100.158
user@server2:~$ 

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + 7 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.