Creating and Using SSH Key Files to Lock Down a System

SSH key files are a more secure way of locking down SSH, if username/password authentication is also disabled. It is also recommended to disable SSHv1.
Information on the following page is very helpful:

Client System – Generate a key file

Mac OS X or Linux

Use the ssh-keygen command to generate a key. The following command generates a 2048 bit key with dsa encryption. For some systems, 1024 may be the highest level available.

 ssh-keygen -t dsa -f ~/.ssh/id_dsa

Enter a password for the file, and choose where to save it. The default save location is fine.

Windows / PuTTY

Download puttygen.exe, and generate an SSH-2 DSA key. Save the private key for use with PuTTY. The PuTTY Key Generator provides a public key that can be pasted into authorized keys. SSH to the remote host and add this line to the ~/.ssh/authorized_keys file.

Remote System – Copy public key to remote system

Mac OS X or Linux

The SCP method will overwrite the authorized_keys file:

scp -P PortNumber ~/.ssh/

This method will append to the authorized_keys file (RECOMMENDED):

cat ~/.ssh/ | ssh user@some.domain "cat >> ~/.ssh/authorized_keys"

Remove the public key from the client:

rm -f ~/.ssh/

Make sure that you chmod both keys so that only the respective users have access to them. Issue the following command on both the server and the client machine:

chmod 0600 ~/.ssh/*

Windows / PuTTY

Append the contents of the public key file, generated by puttygen.exe (can be copied and pasted), to ~/.ssh/authorized_keys on the remote system.
On the remote system, lock down the key:

chmod 0600 ~/.ssh/*

On the client system, set the permissions so that only you have access to the private key file.

PuTTY Client

PuTTY uses its own private key file format. On Linux, you can install the puttygen tool.

sudo apt-get install putty-tools

Then, run the command, where id_dsa is the name of the previously generated private key file:

puttygen id_dsa -O private -o putty.ppk

Copy putty.ppk to the client system, and load it in the SSH>Auth section.


Be the first to comment

Leave a Reply

Your email address will not be published.