SSH setup – Key based authentication

Bastion host - Source
Client host - Destination

Scenario 1: Same user present on Bastion and Client hosts

On Bastion host – I’ve created “test” user useradd -u 54321 -s /bin/bash -m -d /home/test -c “Test User” test and SSH keypair for the same.

SSH_KeyPair.JPG

Now lets check the folder and files created.. Make a note of “.ssh” folder permission (700) and also files inside. “id_rsa.pub” is the public key which can be shared and “id_rsa” (600) is the private key. Data encrypted using public key only decrypted with private key.

SSH_KeyPair2

For the key based authentication to work we need to share the public key “id_rsa.pub”.

SSH_PublicKey.JPG

On Client host – create test user – create “.ssh” directory – update folder permission to 700 – create file “authorized_keys” – copy the “id_rsa.pub” to authorized_keys file – update file permission to 600.

SSH_Client.JPG

Giving the right permissions is always important

3.14 – I copied my public key to authorized_keys but public-key authentication still doesn’t work.

Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.

In this case, it can be solved by executing the following on the server.

chmod go-w $HOME $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chown `whoami` $HOME/.ssh/authorized_keys

Lets try connecting from Bastion host to Client now..

SSH_Client2.JPG

Scenario 2: Different users on Bastion and Client hosts

Lets create one more user “test2” on Client host and place the public key..

SSH_Client3.JPG

Try connecting from “test” user to “test2” on Client..

SSH_Client4.JPG

Scenario 3: From regular user on Bastion to root user on Client ( which is not advisable but will give it a go ).

I’ve added the public key to “authorized_keys” under root user on Client host.

SSH_Client_Root

But when I try to connect as root..”permission denied”.

SSH_Client_Root2

On Client host “PermitRootLogin” in sshd_config is not allowed which is stopping the connections as root even after adding the public key to the root authorized_keys file.

SSH_Client_Root3

Updated sshd_config to permit root login and restarted sshd process.

SSH_Client_Root4.JPG

Now connecting as root from Bastion to Client worked this time.

SSH_Client_Root5.JPG

Special Note:  Today I have seen an issue on RedHat server where the configuration is fine but key based authentication still not working – surprisingly I have found that it is because of SELinux ( Enforcing ).  User home directory and the files inside context is ‘home_root_t’ but the correct context is ‘user_home_dir_t’. Restoring context solved the problem.

#ls -aZ .
drwxr-xr-x. root     root     system_u:object_r:home_root_t:s0 .
dr-xr-xr-x. root     root     system_u:object_r:root_t:s0      ..
drwx——. axess    axess    unconfined_u:object_r:home_root_t:s0 axess
# restorecon -Rv axess

restorecon reset /home/axess context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0
restorecon reset /home/axess/.ssh context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/axess/.ssh/authorized_keys context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/axess/.bash_history context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/axess/.viminfo context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0

 

Advertisements

One thought on “SSH setup – Key based authentication

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s