SSH Key-Based Authentication

Project Overview

This project explains and sets up SSH key-based authentication for secure and passwordless access to remote servers. It covers the concepts of id_rsa, id_rsa.pub, known_hosts, and authorized_keys, along with additional configuration and permissions required for a Linux administrator.

Key Concepts

1. id_rsa (Private Key)

Description: A private key used for authentication, kept secret and never shared.

Location: ~/.ssh/id_rsa

Permissions: 600 (readable and writable only by the owner)

Usage: Used by SSH clients to authenticate with SSH servers by signing authentication requests.

2. id_rsa.pub (Public Key)

Description: The public counterpart to the private key, can be shared openly.

Location: ~/.ssh/id_rsa.pub

Permissions: 644 (readable by anyone)

Usage: Added to the authorized_keys file on remote servers to enable key-based authentication.

3. authorized_keys (Authorized Keys)

Description: Stores public keys of clients allowed to log into the SSH server.

Location: ~/.ssh/authorized_keys on the remote server

Permissions: 600 (readable and writable only by the owner)

Usage: SSH server checks this file to authenticate clients using their private keys.

4. known_hosts (Known Hosts)

Description: Keeps track of public keys of remote servers that the client has previously connected to, preventing man-in-the-middle attacks.

Location: ~/.ssh/known_hosts on the client machine

Permissions: 600 (readable and writable only by the owner)

Usage: SSH client checks this file to verify the identity of the remote server.

Additional Concepts

SSH Key Generation

Command:

ssh-keygen -t rsa -b 2048 -C "your_email@example.com"

Purpose: Generates a new RSA key pair (id_rsa and id_rsa.pub).

Copying Public Key to Server

Command:

ssh-copy-id user@remote_host

Purpose: Copies the public key to the remote server's authorized_keys file.

Permissions

.ssh Directory: Should have permissions 700.
Private Key (id_rsa): Should have permissions 600.
Public Key (id_rsa.pub): Should have permissions 644.
Authorized Keys (authorized_keys): Should have permissions 600.
Known Hosts (known_hosts): Should have permissions 600.

Testing and Troubleshooting

Test Connection

Command:

ssh -i ~/.ssh/id_rsa user@remote_host

Purpose: Tests the SSH connection using the specified identity file.

Check SSHD Configuration

Command:

sshd -t

Purpose: Tests the SSH server configuration for syntax errors.

View Logs

Location: Check SSH logs for issues (/var/log/auth.log on many systems).

Example Configuration for sshd_config

# Authentication:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no

# Subsystem
Subsystem sftp sftp-server.exe

Summary

By understanding and implementing the concepts of id_rsa, id_rsa.pub, authorized_keys, and known_hosts, you can effectively set up secure and passwordless SSH key-based authentication. Ensuring proper permissions and configurations will help maintain security and prevent unauthorized access.