Open source software security

Generating a key pair for automatic SSH Public Key Authentication

30 November -0001

Public Key Authentication (also referred to as PKA) is an authentication method that bypasses the traditional password prompt for SSH access. Installing a public key on a remote SSH server allows you to log into that machine without entering a passphrase. While this can open a host of security vulnerabilities, it is sometimes necessary to execute scripts that fire ssh scripts that don't have the ability to properly authenticate against the remote machine. A good work-around to these security vulnerabilities is to limit command access to shells spawned with SSH PKA.

This tutorial assumes you have SSHSecureShell client installed locally and the remote machine is using OpenSSH (http://www.openssh.com). You can download this package for Windows from http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html. SSH.com has two types of clients available, the free client and a commercial version. Download the free, non-commercial version for private use.

Make sure to install the command line utilities for the package. Check to make sure your environmental variables include the path to the executable. You can check this in your Control Panel under 'System'. Check the 'Advanced' tab, then click the 'Environment Variables' button. Your PATH variables should list something like 'C:\Program Files\SSH Communications Security\SSH Secure Shell'. If this does not exist find out where SSH has installed and add it to your environmental variables by clicking the PATH listing, then the 'Edit' button. Open a command prompt (Start->Run->cmd.exe) and type in:

> ssh-keygen2

This executes the command ssh-keygen2.exe usually found in C:\Program Files\SSH Communications Security\SSH Secure Shell. You will be prompted for your passphrase. Go ahead and enter a relatively complex passphrase. Completing this command generates a public/private key pair that is stored in:

C:\Documents and Settings\[your userName]\Application Data\SSH\UserKeys

Where [your userName] is the username that you log into Windows under. The next step is to move your public key (the one with the .pub extension) onto the target machine. To do this SSH to the target machine. In your home directory check to see if a .ssh directory exists. Look for one using:

$ ls -lah 

on a linux system (on Solaris try "ls -la"). If you don't see the .ssh directory create one using:

$ mkdir .ssh

Once that directory exists you need to sftp your public key into the directory. Use SSH's file transfer interface to do this. Once your key is in the target directory you'll need to change the format to an OpenSSH format. The current format should look something like:

---- BEGIN SSH2 PUBLIC KEY ----
Subject: Your User Name
Comment: "2048-bit dsa, Your User Name@YourMachineName, Wed Mar 23 2005 15:21:27"
AAAAB3NzaC1kc3MAAAEBAPALFo61qLzxl7kor68/J0yaWLDWdsgDUSbeUNvNmsso12g2ykGeAxH9MZRhfFcr2GSCiC1vcilJzFm3jsyxcb3JxjU5lN8K/qKXTylEd4tC8H9VLerxpQan
VDZIu5eTCxZkq3/lesPXlJp8JgnOyYmxr9JLZ8Ekp3FOFs1LqIvseaOvs4MN9eCVb1tFbs
4vmR2nRsYtdivTMHTDw+Vwwm4lVGn37WLKXPLAOTqirCtPlk0ZlLdgi0lqcsXt6ipEtgvO
GtX/imbgLkn/9D4rJlXApP7KuQBCZwi2Nz7y0AAAU=
---- END SSH2 PUBLIC KEY ----

Assume for this example that your key is named id_dsa_2048_a.pub. You'll need to alter the format to an OpenSSH formaby typing in:

$ ssh-keygen -i -f id_dsa_2048_a.pub >> authorized_keys

You can then take a look at the new key ("authorized_keys") and it should begin with the string "ssh-dss" and then a bunch of gibberish.

Make sure to check your modes on the .ssh directory and the authorized_keys file. The directory should bee set to 700 and the authorized keys file to 600 with:

$ chmod 700 .ssh
$ chmod 600 .ssh/authorized_keys

Next to you'll need to update the authentication mode in you SSH client. Open it up and edit your profiles using the "Profiles" button and selecting "Edit Profiles". Highlight the profile you wish to edit in the left hand pane. Check the "Authentication" tab and make sure "Public Key" is first in the list. The target system must have PKA enabled. On a Mandrake Linux system you can find this configuration in /etc/ssh/sshd_config on the lines that looks like:

#PubkeyAuthentication yes  
#AuthorizedKeysFile     .ssh/authorized_keys

Uncomment these lines and restart the ssh daemon to allow PKA authentication. Once these changes take effect you should be able to fire up your Windows SSH client and connect to the desired machine without entering a passphrase.