How to Setup Public Key Infrastructure (PKI) using OpenSSH

April 18, 2016 | By
| Reply More

Secure shell, or ssh, is a cryptographic (encrypted) network protocol operating at layer 7 of the OSI Model to allow remote login and other network services to operate securely over an unsecured network. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between, computers. Traditional tools used to accomplish these functions, such as telnet are insecure and transmit the user's password in clear text when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.

Public Key-based authentication works by creating a pair of keys: a private key and a public key. The private key is located on the client machine and is secured and kept secret. The public key can be given to anyone or placed on any server you wish to access. When you attempt to connect using a key-pair, the server will use the public key to create a message for the client computer that can only be read with the private key. The client computer then sends the appropriate response back to the server and the server will know that the client is legitimate. This entire process is done in the background automatically after you set up keys.

This article discusses installation and detailed configuration of OpenSSH server.

Preparation & Installation

  • Download ISO image file of Ubuntu 14 and install a copy of it in VMWare.
  • Boot up Ubuntu with NAT Mode so that it shares the host’s IP address to access internet.

1.NW setting in VMWare

Figure: 1 Network Mode Setting in VMWare

  • Ping the guest VM machine from the host machine to check the machine connectivity.
  • Ping internet from the guest VM machine to check the internet connectivity in the VM.
  • From the terminal of Ubuntu Linux, Update the repositories by the following command apt-get update.
  • Login the Ubuntu machine from root
  • Type apt-get install ssh to install OpenSSH server.
  • Type /etc/init.d/ssh start to start the SSH server.

Configuration

Installation Verification

  • Type /etc/init.d/ssh start to start the SSH server
  • The IPs of VM being used in this document is 168.146.131, 192.168.146.132 and host IP is 192.168.1.1.
  • From host machine, type telnet 192.168.1.131 22 on command prompt to check the connectivity with SSH server.
  • Download and install WinSCP. This tool is used on windows to access the SSH server on the Linux machine and transfer the files to/from Linux machine.
  • From host machine, start WinSCP. Click on New Site. Enter 168.1.131, Username & Password and click Connect.
  • After successful connection, the file system of Linux machine will be explored.

Basic OpenSSH Configuration

  • Type /etc/ssh/sshd_config to modify the OpenSSH configuration.
  • Search for the Port section. By default Port 22 is used for SSH server. If you want to use custom port for SSH server then change this parameter to your desired port number. Default configuration port is shown in the figure.

2.Port of SSH server

Figure: 2 Port of SSH Server

  • As mentioned above in the article that two protocols exist for SSH, SSH-1 and SSH-2. For the compatibility of legacy systems, SSH-1 may be required. Search for the Protocol section in the configuration file Default configuration protocol is shown in the figure.

3.Protocol of SSH Server

Figure: 3 Protocol of SSH Server

  • Additional configuration parameters are as follows

LoginGraceTime specifies how many seconds to keep the connection alive without successfully logging in. It may be a good idea to set this time just a little bit higher than the amount of time it takes you to log in normally.

PermitRootLogin selects whether root is allowed to log in. In most cases, this should be changed to "no" when you have created user account that has access to elevated privileges (through su or sudo) and can log in through ssh.

strictModes is a safety guard that will refuse a login attempt if the authentication files are readable by everyone.

Additional parameters of configuration file are shown in the figure.

4.Additional Parameters of Configuration

Figure: 4 Additional Parameters of SSH Server

Public/Private Key Generation for SSH Authentication

Key-based authentication works by creating a pair of keys: a private key and a public key. The private key is located on the client machine and is secured and kept secret.

  • Type ssh-keygen -t rsa -b 4096 to generate the key pair. Press enter to accept the defaults. Your keys will be created at /root/.ssh/id_rsa.pub and /root/.ssh/id_rsa as shown in the figure.

5.Key Generation for SSH Server

Figure: 5 Key Pair Generation for SSH Server

  • Type ls -al /root/.ssh to check the existence of public key /root/.ssh/id_rsa.puband private key /root/.ssh/id_rsa as shown in the figure.

6.Public and Private Key Files

Figure: 6 Public and Private Key files

Prepare Client Machine

Clone this VM as a separate machine and repeat the above step. The IP of new VM is 192.168.146.132. Terminology of Machine 1 and Machine 2 will be used to transfer the public keys and without password login on the machines.

Transfer Public Key to Client

  • From Machine 1, Type ssh-copy-id 192.168.146.132 to transfer public key to machine 2 as shown in the figure.

7. Copy public key from Machine 1 to Machine 2

Figure: 7 Copy Public Key from Machine 1 to Machine 2

  • From Machine 2, Type ssh-copy-id 192.168.146.131 to transfer public key to machine 1 as shown in the figure.

8. Copy public key from Machine 2 to Machine 1

Figure: 8 Copy Public Key from Machine 2 to Machine 1

 Login to Machines without password

  • From Machine 1, Type ssh 192.168.146.132 to login on machine 2 as shown in the figure.

9. Login from Machine 1 to Machine 2

Figure: 9 Login from Machine 1 to Machine 2 without Password

  • From Machine 1, Type ssh 192.168.146.131 to login on machine 2 as shown in the figure.

10. Login from Machine 2 to Machine 1

Figure: 10 Login from Machine 1 to Machine 2 without Password

Conclusion

This article is a detailed theoretical and hands-on with Public Key Infrastructure and OpenSSH. In the first section SSH/OpenSSH and its associated concepts were discussed. A test bed or lab environment on Ubuntu 14 was prepared to apply SSH & PKI knowledge. From basic SSH configuration to generation of SSH keys/certificates was explained. Then these keys were used on 2 machines to setup secure login without password.

Filed Under : SECURITY, UBUNTU HOWTO

Tagged With :

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.