HOW TO . . .

CONFIGURE OPEN-SSH KEY-BASED AUTHENTICATION


In most cases, I use the normal password-based authentication with Open-SSH. Password-based authentication is commonly used in environments where the user or administrator is continuously changing systems. In this situation, password-based authentication is best. Considering this form of authentication is less secure, I reviewed a few of my servers, and decided one of them did not need this form of authentication. So I decided key-based authentication is the way to go. I set out to research OpenSSH Key-Based Authentication and its configuration. Yes, I like to do my research before I dive into things. So I fired up my Ubuntu virtual machine and began to Google. After reviewing multiple tutorials and system documentation, I noticed the many inconsistencies across the internet. I found Ubuntu.com to be most helpful, however their documentation still did not suffice. So here is my tutorial on configuring OpenSSH Key-Based Authentication.

A LITTLE BACKGROUND

Before we begin, let's look at what exactly is key-based authentication? Key-based authentication is similar to password-based authentication, we provide a username and password. However, with key-based authentication we use keys as our "password". Using this methodology, we will no longer be required to input a password during login. The SSH client will authenticate using the username and the users private key. The user will then automatically login to their account. To accomplish this, we must have a public and private key-pair. With this key-pair, we will store the public key on the server and the private on the system we wish to login with. It is very important to always protect the private key, similar to how you would protect your password. Open-SSH supports RSA (Rivest-Shamir-Adleman) or DSA ("Digital Signature Algorithm") keys. RSA is currently considered the most secure and recommended cryptographic algorithm, so we will be using RSA keys to secure our SSH connections.
*PLEASE BE ADVISED: Key-Based Authentication is considered to be more secure than password-based authentication. However, this form of authentication is only secure if your network, server, and private keys are securely configured and safe from external entities. Please remember, to always test your configurations for vulnerabilities and misconfigurations. I am not responsible for any damage done to your system. Please continue at your OWN risk. *This tutorial also assumes you're running Ubuntu 14.04

LETS BEGIN . . .

BASIC OPEN-SSH INSTALLATION & CONFIGURATION

Now that we have all the warning nonsense out of the way, let's install and configure Open-SSH. Ubuntu Server provides the ability to install Open-SSH during the installation of the operating system (OS). However, in case we missed this, let's update our repository list:

  • sudo apt-get update

Now let's install Open-SSH server:

  • sudo apt-get install openssh-server

Once the install completes, we should now be able to SSH into our server. (Assuming you have the default firewall rules or allowed TCP port 22 (SSH) inbound and outbound). If you have connection issues you may consider issuing the following iptables commands:

  • sudo iptables -P INPUT ACCEPT
  • sudo iptables -P OUTPUT ACCEPT

*PLEASE BE ADVISED: This configuration is NOT secure and will allow all traffic inbound and outbound. Never in my life would I use these in a real environment, but for testing purposes, and so we can get this working, I suggest you use the above commands. If you are in a production environment, TEST THIS IN A VM FIRST! Or use the commands presented below at your OWN risk:

  • sudo iptables -P INPUT DROP
  • sudo iptables -P OUTPUT DROP
  • sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  • sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now we should be able to SSH to our server using our favorite SSH client. My personal favorite is Putty and this tutorial will assume you are using putty or the default open-ssh client on a Linux desktop.

SSH FROM LINUX:

If you are using a Linux desktop you may issue the following command in terminal:

  • ssh <your username>@<your server IP or hostname>

SSH FROM WINDOWS (Putty):

If you are using a windows systems, let's use Putty to connect to the server. You may download putty from here:

Be sure to download the installer binary from the link under A Windows installer for everything except PuTTYtel. This will allow you to install putty on your system.

Once downloaded, install Putty by following the installation prompts, and then launch Putty.exe'.

  • After you've launched Putty, you will see the (Hostname or (IP Address)) section. Please type <your username>@<your server ip address or hostname>. Preferably, the IP address, in case there are any DNS resolution issues in your network.
  • Then click SSH for the connection type (This is normally already selected).
  • Next type a profile name in saves sessions.
  • After saving the connection you can now click Open.
  • On first connect, you will receive a prompt to accept the certificate, click yes.
  • Following this you should be prompted to enter the password to your account.
  • Once you have entered the password to your account, you will have successfully logged in.

Once successfully logged in, you may continue to generate RSA keys!! If you were unable to log in, please double check the iptables using the following commands:

  • sudo iptables -l INPUT
  • sudo iptables -l OUTPUT

Once you've verified these are correct, you may also considered restarting the SSH service:

  • sudo service ssh restart

GENERATING RSA KEYS

By default Open-SSH uses a 2048 bit RSA keys. For the sake of our server, we will increase this to 4096 bits using ssh-keygen and the -b flag.

  • ssh-keygen -t rsa -b 4096

During the key generation, open-ssh will ask where the keys should be saved. For now we will use the default directory, which is the currently logged in users home directory (/home/<logged in user>/.ssh/) Following this, you will be asked to input a password. Please be sure to enter a password so the private key is safe. Please use the industry standard password guidelines to create a secure password. This tutorial assumes you are already aware of these guidelines.

Once both keys are generated we will transfer them to our system.

TRANSFER THE KEY-PAIR

Using command prompt (CMD) we can use putty's scp service to transfer both the public and private key-pair from the server to the system we wish to use to connect to the server.

  • First create a directory on your desktop called RSAKeys
  • Then press the Windows Key + R and a run dialogue will appear.
  • Then type cmd and click ok (Enter) and a command prompt window will appear.
  • You will then need to change directory to the puttys program folder using the following command (This command assumes C: is your root directory and you are running Windows 7):
    • cd C:\Program Files (x86)\PuTTY
  • After changing directories use the following command to copy the public and private key-pair to the RSA directory.
    • pscp.exe <your username>@<your servers ip>:/home/<your username>/.ssh/id_rsa.pub c:\Users\<your username>\Desktop\RSA
    • pscp.exe <your username>@<your servers ip>:/home/<your username>/.ssh/id_rsa c:\Users\<your username>\Desktop\RSA
  • A password prompt will display after entering each command. Type your password both times and both the public and private key-pair will be transferred to the RSA directory.
  • After the transfer, navigate to the RSA directory and verify both keys are present.

CONFIGURING OPEN-SSH DIRECTORIES

In many circumstances, user's home directories are encrypted and Open-SSH cannot access the /home/<username>/.ssh/ directory. For simplicity reasons we will assume the users home directory is encrypted.

To accommodate this issue, we will change directory (cd) using the following command:

  • cd /etc/ssh/

We then need to create a directory using the current username.

  • mkdir $USER

You should now be able to use see a directory reflecting the currently logged in user.

  • ls -l

We can now change directory back to our users home directory:

  • cd ~/.ssh/

We now need to copy the content of our public key to an authorized_keys files within the $USER directory previously created. The authorized_keys file is used by Open-SSH to store the public keys for each user. This is to not be confused with a directory or folder, this is a file. We will use catenate (cat) to copy the contents of the public key to authorized_keys:

  • cat id_rsa.pub >> /etc/ssh/$USER/authorized_keys

We can also use cat to verify the contents were transferred:

  • cat /etc/ssh/$USER/authorized_keys

You should see an output similar to the following:

  • ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCcwRk7mPOV98nz11v3BhBAHCRHlJNXf15vcT1n8tUB

If you see a similar output to the one illustrated above, you have successfully copied the contents of the public key.

DIRECTORY PERMISSIONS

When using Open-SSH the file and directory permissions are extremely important. This is to protect your servers' public keys from external modification, while also allowing Open-SSH to access the public keys.

Now that we have created the directory structure and copied the necessary files, we can now change the permissions of the /etc/ssh/$USER/ directory and the authorized_keys file. We will make the following permission changes:

  • sudo chmod 700 /etc/ssh/$USER
  • sudo chmod 644 /etc/ssh/$USER/authorized_keys

Once the file and directory permission are correct we can verify them using list directory contents (ls) with the -l flag:

  • ls -l /etc/ssh/$USER
  • ls -l /etc/ssh/$USER/authorized_keys

Once you've verified the field and directory permissions we can begin to configure Open-SSH.

CONFIGURING OPEN-SSH

We are close to the finish line and completing our Open-SSH server configuration! With a few changes to the sshd_config file, we can began to configure our SSH client for key-based authentication.

We will first make a backup of the default Open-SSH configuration:

First change directories to /etc/ssh/.

  • cd /etc/ssh

Now we can backup the Open-SSH configuration:

  • sudo sshd_config sshd_config_default

We now can begin to edit the Open-SSH configuration. Using Nano, we can edit the Open-SSH configuration.

  • sudo nano sshd_config

Please make the following changes to the sshd_config file:

  • PubkeyAuthentication yes
  • RSAAuthentication yes
  • PasswordAuthentication no
  • AuthorizedKeysFile /etc/ssh/%u/authorized_keys

*** If you would like to further secure your SSH configuration I would recommend using the following Message Authentication Code (MAC) algorithms, encryption algorithms (ciphers), host key algorithms, and key exchange algorithms.

  • KexAlgorithms curve25519-sha256@libssh.org
  • Ciphers aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
  • Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
  • MaxSessions 100
  • MaxStartups 100

If any of the above changes have a leading #, remove this also. After making the necessary changes, we can now save the file using ctl + x then using y for yes to save the file and enter to commit to the changes.

Now that all changes have been made, we can restart the Open-ssh server:

  • sudo service ssh restart

We have officially setup our Open-SSH server for key-based authentication!

CONFIGURE THE CLIENT

Now that we have completed our server setup, we now have to configure our client. For the client configuration, I will demonstrate the configuration for both Linux (Ubuntu), and Windows (Putty).


OPEN-SSH CLIENT

First copy the private key in the RSA directory to a flash drive. Before connecting the flash drive, let's install Open-SSH client:

  • sudo apt-get update
  • sudo apt-get install openssh-client

Once the Open-SSH client has successfully installed, let's create the necessary directory to store our private key:

  • mkdir ~/.ssh

Once you have created this folder copy your private key form your flash drive into this folder. If you are using Ubuntu server, you will need to determine, which disk your flash drive is using:

  • sudo fdisk -l

After you have found your flash drive, you can then create a directory to mount it to using:

  • sudo mkdir /media/flash
  • sudo mount /dev/<your flash drive> /media/flash

Once the drive is mounted you can now use copy (cp) to copy the private key into the directory:

  • sudo cp /media/flash/id_rsa ~/.ssh/

Now that we have copied the private key we can now change the permissions so it can be used in Open-SSH:

  • sudo chmod 700 ~/.ssh
  • sudo chmod 600 ~/.ssh/id_rsa

Now that we have applied the necessary permissions, we can now connect to our SSH server! Issuing the following command, you should be able to successfully SSH to your server:

  • ssh <user on your server>@<your servers ip or hostname>

Before you conntect you may recieve a prompt for a password. This prompt is asking for the password you used when creating your SSH keys. Type this password in and you will connect.

Once you've connected you will receive a prompt asking to accept the public key, please type yes if you would like to accept it and connect. You should now be connected to your server!

You can verify you are connected by looking at the terminal prompt, you will see <your servers username>@<your server hostname> or you can type whoami in the terminal and you will see your servers username display.


PUTTY CLIENT

For windows users we need to use Putty. If you've followed this tutorial, you should already have putty installed and your servers initial SSH connection saved. Before we load the profile, we need to convert the private key to putty's private key format. To do this open PuTTYgen.

Inside PuTTYgen you will see Conversions at the top. Click Conversions and Import key

After clicking Import key, navigate to the RSA directory and select the private key id_rsa and click open.

PuTTYgen will then load the key. You may then click the Save private key button and save the private key in the RSA directory. I recommend you save it with <your server username>PrivateKey.ppk

Once the key has been saved, open Putty.

In putty you should see the previously save session profile. Click to highlight this profile and then click load.

After the profile has loaded, you should now see your server info in the Host Name section. Now in the left hand pane, click the + next to SSH and then click Auth.

On the right hand pane you should now see Private key file for authentication:, click the browse button below this and browse to your private key, select it, and click open.

After selecting your private key, back in the left hand pane scroll up and select session. This will take you back to the screen you previously started at.

Click your saved session profile again and click save.

Now that you have fully setup your Putty profile with your private key, you can now click open and launch the Putty terminal.

When the terminal launches, you will be prompted to input the password for your private key.

After you enter your password Putty can access the private key and authenticate against your SSH server. Once the authentication process completes, you will automatically login to your user account on the server.

Auditing Your Server

Of course we want to ensure that our SSH server is secure, and we are transmitting data in a secure fashion.

Now we could open Wireshark and begin analyzing packets and what not. I definitely recommend we do this to ensure everything is sound. Plus it keeps us sane. But what if we just want to view that our MAC, Encryption, Host-key, and Key Exchange algorithms are set appropriately?

I ran across a nice little tool that will verify our MAC, Encryption, Host-key, and Key Exchange algorithms are up to par. The nice thing about this tool is it will also tell you which algorithms you need to remove!!! #winning

Andris Raugulis (arthepsy) created an awesome tool called ssh-audit. We will use this tool to audit our configuration and ensure we are only using secure algorithms to transmit data between our client and server.

Begin by downloading ssh-audit from GitHub

  • https://github.com/arthepsy/ssh-audit
  • OR
  • git clone https://github.com/arthepsy/ssh-audit.git

Once downloaded, change directory to the folder ssh-audit folder and run the python script as follows:

  • ./ssh-audit.py localhost

If you followed the guide above you should get a nice pretty green output similar to what's seen below:

Otherwise you may get something that resembles a Christmas tree with bad presents. Kind of like the image below: