SSH KEY-BASED AUTHENTICATION
You can configure an SSH server to allow you to authenticate without a password by using key based authentication. This is based on a private-public key scheme.
To do this, you generate a matched pair of cryptographic key files. One is a private key, the other a matching public key. The private key file is used as the authentication credential and, like a password, must be kept secret and secure. The public key is copied to systems the user wants to connect to, and is used to verify the private key.
The public key does not need to be secret. You put a copy of the public key in your account on the server. When you try to log in, the SSH server can use the public key to issue a challenge that can only be correctly answered by using the private key. As a result, your ssh client can automatically authenticate your login to the server with your unique copy of the private key. This allows you to securely access systems in a way that doesn’t require you to enter a password interactively every time.
Generating SSH Keys
To create a private key and matching public key for authentication, use the ssh-keygen command. By default, your private and public keys are saved in your ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files, respectively.
If you do not specify a passphrase when ssh-keygen prompts you, the generated private key is not protected. In this case, anyone with your private key file could use it for authentication. If you set a passphrase, then you will need to enter that passphrase when you use the private key for authentication. (Therefore, you would be using the private key’s passphrase rather than your password on the remote host to authenticate.)
You can run a helper program called ssh-agent which can temporarily cache your private key passphrase in memory at the start of your session to get true password less authentication. This will be discussed later in this section. The following example of the ssh-keygen command shows the creation of the passphrase protected private key alongside the public key.
Sharing the Public Key
Before key-based authentication can be used, the public key needs to be copied to the destination system. The ssh-copy-id command copies the public key of the SSH keypair to the destination system. If you omit the path to the public key file while running ssh-copy-id, it uses the default /home/user/.ssh/id_rsa.pub file.
Using ssh-agent for Non-interactive Authentication
If your SSH private key is protected with a passphrase, you normally have to enter the passphrase to use the private key for authentication. However, you can use a program called ssh-agent to temporarily cache the passphrase in memory. Then any time that you use SSH to log in to another system with the private key, ssh-agent will automatically provide the passphrase for you.
This is convenient, and can improve security by providing fewer opportunities for someone “shoulder surfing” to see you type the passphrase in. Depending on your local system’s configuration, if you initially log in to the GNOME graphical desktop environment, the ssh-agent program might automatically be started and configured for you.
If you log in on a text console, log in using ssh, or use sudo or su, you will probably need to start ssh-agent manually for that session. You can do this with the following command:
GUIDED EXERCISE : CONFIGURING SSH KEY-BASED AUTHENTICATION
- Use the ssh-keygen command to generate SSH keys. Do not enter a passphrase.
2. Use the ssh-copy-id
command to send the public key of the SSH key pair to adinusa on lab5.btech.id port 2279. Use AdinusaKeren as the password of user adinusa on lab5.btech.id.
3. Execute the cat .ssh/authorized_keys
command on lab5.btech.id remotely using SSH without accessing the remote interactive shell.
4. Execute the hostname
command on lab5.btech.id remotely using SSH without accessing the remote interactive shell.
thank you for reading.