Admin... by accident!

You may have chosen to be an admin. I didn't!

  • Home
  • FreeBSD
  • GNU/Linux
  • Security
  • Network
  • Virtualization
  • Politics
  • Github
  • Donate
  • Me

SSH keys

April 25, 2017 by Albert Valbuena

SSH or how to remotely control a UNIX system in a secure manner.

The SSH keys is a secure method to interact with a UNIX system remotely. They are also used to transfer data between different systems. Using clever cryptography anyone can use them. As their name state it is a pair of keys, one matching the other in a complex mathematical operation. One pair unlocks the other. The pains to unlock a key without knowing the other pair makes this method the safest and the standard around the world. Mathematical and cryptography advances have changed the implementations through the years making this method safer as time went by.

Ages ago to remotely control a UNIX machine one used Telnet. But soon the internet would become a wild place. Plain text logins became unsafe for certain tasks. Let’s be honest. Your password in some dark forum about some not very common topic is not very valuable. But your credit card information is. Server administration is not a joke and is a very valuable job if, for example, those servers keep the lights of your city on all night, keep your banking records, your medical files, etc.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

The SSH keys are originated with a program developed by the OpenBSD team and it is called OpenSSH. It has become a de facto standard to remotely control a UNIX box from another UNIX or unix-like system. This program uses clever encryption in order to cypher the content we type and for the logins to remote machines. This way you can get into your remote server without spilling sensible data such as your username and password or some other content you may be transmitting.

To enable ssh keys in your local machine you must use the following command and follow the prompt steps that are shown.

ssh-keygen -t rsa


If you enter a passphrase you must always remember it our you won’t log in again since any time you log in the passphrase will be asked.

Now login into the remote machine you want to control from your local machine. If the user account doesn’t have any directory labeled as .ssh it’s quite probable that user does not have any keys ready. Again type the command “ssh-keygen -t rsa” and generate the keys.

Don’t be surprised if you are looking for that misterious .ssh labeled directory and you can’t find it. Any file or directory whose name has a dot behind its name is considered hidden. A UNIX command that lists files and directories is ls. Anytime you type ls a list of files and dirs will show up.

If you want to find the hidden files or directories you must type ls -a


As you can see in the above picture if you just type ls you just see the regular directories. But once you type ls with the flag -a, then all the hidden files and directories are shown.

On the remote machine get into the .ssh directory, probably located in /usr/home/username/.ssh/. You have to write a new file called “authorized_keys”. You can create an empty file by typing the “touch” command and the name you wish to give to that file.
The file has to be named authorized_keys  it must have since the sshd daemon will look for a file named that way (as well as authorized_keys2) by default and check the keys from there.

Use your editor of choice to write the content from your local id_rsa.pub key file into the file you’ve just created. You will first  get the content by using the cat command as shown below:

Click on the image to expand

Now select the text to copy-paste.

Click on the image to expand

And paste the content into the authorized_keys file. Since the local public key file in your local machine matches the one you have written into the authorized_keys file on the remote machine, you can now login automatically and control your server remotely without the need of a password. If you chose to have a passphrase you may have the best of the two methods together. The security of an rsa    encrypted key and the ssh program plus the passphrase as a “regular password” to use that key.

Now in order to test we have successfully set a pair of keys we will disable user login with password and try to log in. In order to do that we will have to configure the configuration file for ssh. In FreeBSD it is located in the /etc/ssh directory and it is called sshd_config.

Just remove the # before PasswordAuthentication no as follows:

Now restart the service in order to the new configuration to take effect. Be aware to have accomplished the step explained above properly or you may find yourself unable to login to any remote server you may wish to control remotely.

If you are still logged in, congratulations. If you have been pushed out just try to log in again. If you are unable to, restart again or try to boot as single user mode and fix the configuration problem by restoring the # behind PasswordAuthentication no part at the /etc/ssh/sshd_config file.

You have to also change a different line to disable the “ChallengeResponseAuthentication” feature. Just pick up your favourite editor and comment out (this means to remove this symbol # in front of a line) this line and change the “yes” for a “no” in the main configuration file for ssh located in /etc/ssh/sshd_config

# ChallengeResponseAuthentication yes

It should look like:

ChallengeResponseAuthentication no

Then the sshd service has to be restarted. After that you can test it by logging out and then login in again. The remote system doesn’t ask for a password since it is using the ssh keys. Since they match the user logs in without a hassle and safely.

Disable root login (full disabling)

As before you must edit the file /etc/ssh/sshd_config and set the PermitRootLogin part as no. Under the “# Authentication:” part you will comment out the PermitRootLogin and set it properly so it must look as follows:

PermitRootLogin no

You can forget about this step since the root login is disable by default in FreeBSD. If you are using some GNU/Linux systems this step is mandatory so no one can log in as root from the outside. Mind that includes you.

Use this link to get 100 $ credit at DOcean and support Adminbyaccident.com hosting costs.

Filed Under: How To's, How To's, Security

Recent Posts

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0
  • How to configure Modsecurity 3 for WordPress on FreeBSD
  • How to configure Apache HTTP with a TLS reverse proxy backend on FreeBSD
  • How to detect a WAF – Web Application Firewall
  • How to install Matomo 4 on FreeBSD
  • How to test SSL/TLS configurations
  • How to configure Apache HTTP as a reverse proxy on FreeBSD
  • How to install Nextcloud on FreeBSD 12
  • How to install ModSecurity 3 on FreeBSD
  • How to replace a disk on a ZFS mirror pool
  • How to install Webmin on FreeBSD 12

Archives

  • February 2023
  • January 2023
  • December 2022
  • April 2022
  • March 2022
  • October 2021
  • September 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • September 2018
  • June 2018
  • May 2018
  • April 2018
  • February 2018
  • January 2018
  • November 2017
  • April 2017

RSS Admin… by accident!

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in