Protect the Accounts

If you haven't done it yet, now would be a good time to disable all unneeded accounts and make sure that all accounts still in use have strong passwords. Attackers are trying constantly to guess passwords. See the earlier section for details.

Create the Keys

The user needs to generate SSH public/private key pairs. Use the following command sequence. Provide a strong passphrase, since security rests on this being extremely difficult to guess. Unless you really want to greatly inconvenience and confuse yourself, use the same passphrase for both RSA and DSA key pairs! Accept the default locations for key storage:

$ ssh-keygen -t rsa
$ ssh-keygen -t dsa
$ cat ~/.ssh/*.pub > ~/.ssh/authorized_keys 

In some situations (for example, Red Hat Enterprise Linux 5), the umask of the unprivileged user's environment may be set to 002, so the permission of the resulting authorized_keys file is 664, world-writeable. And the SSH daemon may refuse to pay attention to those keys (again, as seen on RHEL5). So you may need to do this:

$ chmod 644 ~/.ssh/authorized_keys 

Distribute the Keys

Once those keys are generated, the entire directory ~/.ssh must be copied into place on all systems. If you are using NFS and automounting, this is already done! If you are not, then the administrator might need to get involved briefly.

At every login, the user simply runs this command:

$ ssh-add 

Type your SSH key passphrase (what you typed back when you generated the keys). Now everything is automatic! Commands like ssh, scp, and even sftp work automatically without any password-typing by you!

My page on hardening default installations of Linux and BSD

My general security page

Home Unix/Linux Networking Cybersecurity Travel Technical Radio Site Map Contact

Tweet