Created
July 15, 2023 22:35
-
-
Save BlackPropaganda/3c50e1993014bd59905df77c2fd46869 to your computer and use it in GitHub Desktop.
SSH Pubkey authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ___ | |
| ## SSH Server Configuration | |
| ___ | |
| On most linux systems, the command is either 'useradd' or 'adduser', but this is distro specific. | |
| After you create the user and are prompted with the new user password, bear in mind to save it because | |
| you will need it during the pubkey installation process. | |
| useradd <new_user> | |
| Password-less authentication to a specific user account can be obtained by first enabling this in | |
| the openssh configuration file. This file is most commonly found in /etc/ssh/sshd_config and changing the line | |
| 'PubkeyAuthentication no' to 'PubkeyAuthentication yes'. Or, if your version does not have this, | |
| you can append this line near the top of the configuration file under the authentication category, like so: | |
| # Authentication: | |
| #LoginGraceTime 2m | |
| #PermitRootLogin prohibit-password | |
| #StrictModes yes | |
| #MaxAuthTries 6 | |
| #MaxSessions 10 | |
| PubkeyAuthentication yes | |
| # Expect .ssh/authorized_keys2 to be disregarded by default in future. | |
| AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | |
| Also ensure that your AuthorizedKeysFile is present in your new users home directory. | |
| Secondly, on an SSH client, you will need to generate the key. For the sake of demonstration, | |
| we will use RSA 2048-bit keys, but you can use any of the following, such as dsa, ecdsa, ed25519 and rsa. | |
| here's the command to generate a key and place it in the current working directory. When you create it, | |
| it's best if you don't leave a password since this file will need to be readable without your input. | |
| so when prompted for a password just press 'enter' in the terminal. Note that this will create two files. | |
| First, the private key, then the pubkey. | |
| ssh-keygen -t rsa -b 4096 -f id_rsa | |
| After we generate the SSH key, we need to install it on our remote SSH server. We can do this by entering the following | |
| into a terminal in the same directory. This will prompt the user for the password. | |
| ssh-copy-id -i id_rsa <new_user>@<ssh_server_ip> | |
| To test the connection, you can enter this into the terminal: | |
| ssh -i id_rsa <new_user>@<ssh_server_ip> | |
| Then, you need to connect to the ssh server at least once so the client adds this server to the list | |
| of known_hosts. More on this on the ssh man page. While on the client, execute this: | |
| ssh -i /root/.ssh/id_rsa <new_user>@<ssh_server_ip> | |
| you will be prompted whether or not to add the host signature to known hosts, enter 'y'. Then, | |
| whenever your script/payload/whatchamacallit needs passwordless authentication, it can do it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment