Usability - Productivity - Business - The web - Singapore & Twins

Less passwords, more security. ssh connections with certificates

Succeful server administration depends on automation. Only when you can declare Runs-in-AutoPilot-mode™ your servers will run cost efficient. While DDM, Activity Trends or Domino Policies can do that for you on the Domino level (you might want to have a look at more tools and utilities), there are times where you need to automate OS level tasks (If you don't promise to never ever use this to FTP a NSF, stop reading now and go away) like moving installer files or start and stop remote services. Once you start scripting them you will run into the issue of remote authentication. For SSH connections there is a very elegant way to have a secure connection using a public private key pair. Let's presume our remote host name is everest at everest.company.com and your user id there is joeadmin. These are the steps:
  1. Create a directory to keep your keys:
    mkdir ~/.sshkeys
    chmod 700 ~/.sshkeys
    cd ~/.sshkeys

    (the chmod isn't strictly necessary, but we want to make sure that access to the key files is minimal)
  2. Generate a key pair:
    ssh-keygen -t dsa -b 1024 -f ~/.sshkeys/everest-access-key
    For automation without a password you need to press Enter twice. Be aware, that the security of access it as strong or as weak as the access protection of your workstation. So you should use strong disk encryption
  3. Protect the generated file: chmod 600 everest-access-key
  4. Copy the public file to the remote server:scp everest-access-key.pub joeadmin@everest.company.com:/home/joeadmin
  5. Login to the server: ssh joeadmin@everest.company.com (This will be the last time your need the password)
  6. Create the directory for your keys:
    mkdir ~/.ssh
    chmod 700 ~/.ssh
    cd ~/.ssh
  7. Create your key file to recognize you:
    touch authorized_keys
    cat ~/everest-access-key.pub >> authorized_keys
    rm ~/everest-access-key.pub
    chmod 600 authorized_keys
  8. Now logout and you are ready to use the key driven access
  9. To login use: ssh -i ~/.sshkeys/everest-access-key joeadmin@everest.company.com  (which of course you use in a script)
Once all admins who need access to that server have their keys in place it is time to lock ssh down. Edit the file /etc/ssh/sshd_config and make sure the following values are set:
  1. ListenAddress {your IP/IPv6} to limit SSH to one IP address (remember your servers most likely will have more than one IP)
  2. LoginGraceTime 10 since all logins will directly use a key pair, 2 min grace period is way to long
  3. PubkeyAuthentication yes so your keys will work
  4. PasswordAuthentication no so nobody can try to hack in using a password attack
  5. Installing the denyhosts package (sudo apt-get install denyhosts) reduced the attack surface further. Go read the full explanations
Also works great for zLinux or AIX. As usual YMMV

Posted by on 13 September 2011 | Comments (2) | categories: Linux


  1. posted by Vince Schuurman on Wednesday 14 September 2011 AD:
    Yeah, just implemented that, although for some reason I can still login using name/password auth. even with PasswordAuthentication no :(
  2. posted by Stephan H. Wissel on Wednesday 14 September 2011 AD:
    Yell at some Linux forum and you will be enlightened.