SSH RSA keys security question

cpragman · 01-11-2010, 08:49 PM

I want to make sure I haven't made a security mistake in setting up my RSA keys in configuring SSH. The SLS manual contains a guide that has the private key stored on the server, and the public key stored in a authorized_keys2 file on the remote mac I will be connecting from. In practice, this seems to bypass the password protection I specified when I ran keygen (I am not being prompted for the key password). It also seems to be opposite what I have read on a lot of websites regarding how to setup SSH.

Suggestions?

acme.mail.order · 01-11-2010, 10:24 PM

Other way round. The private key stays on YOUR computer (hence 'private') and the public key goes in the ~/.ssh/authorized_keys file on the computer you want to connect to. If it's done properly you won't be asked for a password when you log in again - that's the whole point of public/private keys.

fracai · 01-12-2010, 06:59 AM

Though it would probably be a good idea to not use a passphrase-less key-pair. If your private key ever gets out, anyone can login to your machines just as you would. It'd be better to use a passphrase that can be cached by the system Keychain or gpgagent.

cpragman · 01-12-2010, 08:32 AM

So is the apple manual wrong, or did I just read it wrong?

Strangely, after setting it up backwards, I've been able to log in to the server fine! Is there a setting I needto change to REQUIRE the use of RSA keys, and deny attempts without the key?

cpragman · 01-25-2010, 05:53 AM

Got it working right finally. Put the private key on my laptop, and the public key on the server and now I can login without a password.

What was confusing me was that I was being offered a password prompt when logging in, and was able to successfully connect when I entered it. After reading more, what I see was that the RSA key was not working, and SSH was dropping back to password authentication. Since I knew the correct password (mine), I was getting successfully logged in anyway.

Taking a look at the secure.log shows me the server is undergoing a constant stream of dictionary attacks, so next I read some more about SSH, and was able to completely turn off password authentication (in /etc/sshd_config), so that only RSA keys can get you in. That's a nice feature!

01-11-2010, 08:49 PM	#1
cpragman All Star Join Date: Jan 2004 Location: Limerick, PA Posts: 687	SSH RSA keys security question I want to make sure I haven't made a security mistake in setting up my RSA keys in configuring SSH. The SLS manual contains a guide that has the private key stored on the server, and the public key stored in a authorized_keys2 file on the remote mac I will be connecting from. In practice, this seems to bypass the password protection I specified when I ran keygen (I am not being prompted for the key password). It also seems to be opposite what I have read on a lot of websites regarding how to setup SSH. Suggestions?

01-12-2010, 06:59 AM	#3
fracai MVP Join Date: May 2004 Posts: 2,012	Though it would probably be a good idea to not use a passphrase-less key-pair. If your private key ever gets out, anyone can login to your machines just as you would. It'd be better to use a passphrase that can be cached by the system Keychain or gpgagent.
$fracai is offline$

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:

01-11-2010, 10:24 PM	#2
acme.mail.order League Commissioner Join Date: Sep 2003 Location: Tokyo Posts: 6,043	Other way round. The private key stays on YOUR computer (hence 'private') and the public key goes in the ~/.ssh/authorized_keys file on the computer you want to connect to. If it's done properly you won't be asked for a password when you log in again - that's the whole point of public/private keys.

01-12-2010, 08:32 AM	#4
cpragman All Star Join Date: Jan 2004 Location: Limerick, PA Posts: 687	So is the apple manual wrong, or did I just read it wrong? Strangely, after setting it up backwards, I've been able to log in to the server fine! Is there a setting I needto change to REQUIRE the use of RSA keys, and deny attempts without the key?

01-25-2010, 05:53 AM	#5
cpragman All Star Join Date: Jan 2004 Location: Limerick, PA Posts: 687	Got it working right finally. Put the private key on my laptop, and the public key on the server and now I can login without a password. What was confusing me was that I was being offered a password prompt when logging in, and was able to successfully connect when I entered it. After reading more, what I see was that the RSA key was not working, and SSH was dropping back to password authentication. Since I knew the correct password (mine), I was getting successfully logged in anyway. Taking a look at the secure.log shows me the server is undergoing a constant stream of dictionary attacks, so next I read some more about SSH, and was able to completely turn off password authentication (in /etc/sshd_config), so that only RSA keys can get you in. That's a nice feature!