Security

Using SSH shared keys

OpenSSH has the ability to use a number of authenitcation mechanisms. One of the most popular (next to plain passwords) is using shared keys.  Shared keys can give you a lot of security while still allowing more flexability than simple passwords. Once the keys are setup, it allows a user to secure shell into a box without a password.  This is only used when you trust the remote users account as much as if it was on the local box. If the remote user is on an insecure machine or not trusted then another authentication mechanism would be a better choise. The real benifit for shared keys comes in when you need a script on one machine to be able to run a program on another machine in a secure and encrypted manner.

An example Setup 

ClientA wants to secure shell into ServerB and run a program without getting prompted for a password.
Here is how to setup the secure keys.

On ServerB (logged in as the user the will have the remote access):

Check first to see if ~/.ssh exists and if now then create it.

serverB$ mkdir ~/.ssh
serverB$ chmod 700 ~/.ssh

Generate the public and private keys

serverB$ ssh-keygen -q -f ~/.ssh/ClientA.key -t rsa -N "" -C "Key for ClientA Access"

Move the key over to the client in a secure manner (NOT Email). I’ll use ssh for this example.

serverB$ scp ~/.ssh/ClientA.key clienta.epsb.ca:/tmp/

Edit the public key and tighten up the security.

The from variable is a comma delimited list of hosts that you will accept this key from. Make sure that the client has a reverse pointer record setup for this to work. An example of what the from variable should look like is as follows:

from="clienta,clienta.outdomain.com"

The command variable lists the command that the remote user will be able to run when they execute the secure shell connection. The command listed is the only command that they will be able to run with this key. If this key is setup for shandard shell access than do not include a command variable. An example of what the command variable should look like is as follows:

command="/usr/local/bin/program"

Edit the public key ( ~/.ssh/ClientA.key.pub ) and add the from and command variable to the begining of the file as follows:

from="clienta,clienta.ourdomain.com",command="/usr/local/bin/program" ssh-rsa AAAAB3NzaC1
yc2EAAAABIwAAAQEA4q0G/nwQ9hYx7iE47WDzmVAFJjkEB1F+MbLgPKcEIABdkYsA7B9B1VrJRd/Qi
1GU0R6Jmdd/98H/Tt1DZIooPT2El1KShjujz6LeX3R8kt4axTTMRRqBWgIEIwc9XQP4/p7lQoh0qNIxWZdsDh1ez+i/HAnb588NEuxI/20i1xCDwf4x9hFPZiQVkZa56b7OVqxCIaokdP8PZWjbkXiEGDAUPpNr0g
Z7x37n1Nyfpbg7hYBy0HxZ6e/M2Lk57K7B/oSos3ujkRLKvknwpSbGJrUbaK2v6TzrGXp69fso8zW9zR
LycWcmpAr87cIhm/hvC5sJY5r4hxXPi+eemONNpw== Key for ClientA Access

Copy the ClientA.key.pub file to the end of the authorized_keys file

serverB$ cat ClientA.key.pub >> ~/.ssh/authorized_keys
serverB$ chmod 600 ~/.ssh/authorized_keys

1 thought on “Using SSH shared keys”

  1. Pingback: Sync’ing content between two servers. – Bohica.net

Leave a Comment

Your email address will not be published. Required fields are marked *