Surpass Web Hosting Forums - View Single Post

**Aric** · November 8th, 2004, 1:28 PM

Generating a Key Pair Under MacOS X/Linux Using the Command Line/Shell:

The directions for Mac OS X and most flavors of Linux are the same.
Under Mac OS X, we first need to fire up the Terminal. If you've never done so before, you will find it here:
~/Applications/Utilities/Terminal
where "~" is your user folder.
At this point, the directions are the same for Mac OS X and most versions of Linux.
Type:
Code:
```
ssh-keygen -t dsa -b 4096
```
You will be prompted where to save the resulting key file. Accept the default location. Enter your password for the private key. DO NOT LEAVE THE PASSWORD BLANK!!!!!! The key will be created and saved into the location specified.
Is a RSA or DSA key "better"? Either kind works, but DSA is a slightly newer kind of key that is slightly more secure overall (though it doesn't make a big difference in a key only used for SSH).
Now we need to copy the public key to the clipboard so we can paste it into the correct location on the server. Naturally, you blessed Mac/Linux folks could just scp the pub key to your server, but for the sake of syncing up with the directions for the Windows users, I won't discuss that here.
Mac/Linux: Use your favorite Shell text editor (pico, vi, emacs, etc.) to open the public key file and copy it to your clipboard. The file in question is probably stored in a location like:
/Users/username/.ssh/id_dsa.pub
Mac: If you don't want to use the command line, you can use standard text editors, like BBEDIT, Text Edit, TexEdit, etc. To do that, go to the Finder and select OPEN FOLDER from the GO menu item (Command-Shift-G) Type the path to the file in the box that opens:
/Users/username/.ssh/
Open the id_dsa.pub key file with a text editor of your choice and copy the contents to the clipboard. Don't change this file and if you are asked if you want to save the file DON'T.

We now rejoin our poor easilly hacked Windows cousins...

Installing the Public Key on Your Server:

NOTE: If you use PGP to create the key, you will need to paste each line together and remove the ---block begins/ends here--- lines. In addition, you have to add ssh-dsa (or ssh-rsa) to the beginning of the line so it looks like the other keys on your server.
Back in the terminal session for your server...
Type:
Code:
```
pico -w ~/.ssh/authorized_keys
```
If for some reason you get an error telling you .ssh doesn't exist, then create it:
Code:
```
cd ~
mkdir .ssh
cd .ssh
pico -w authorized_keys
```
More than likely, ~/.ssh/authorized_keys will already exist and the file will be displayed in pico. If there are lines already in this file DO NOT REMOVE THEM, just scroll to the end (CTRL-V a few times should do the trick) and press ENTER after the last key so you are on a blank line. Now paste in your public key. This key MUST be all on one single line. Close and save this file as you would normally.
To be on the safe side, let's give ourselves some wiggle room in case there is a problem with the key. Edit the sshd_config file again. Change the "AllowRootLogin" line to "yes" again and save the changes.
Restart SSHD:
Code:
```
service sshd restart
```
For good measure under Windows, quit Putty and restart it.

Testing Your New SSH Key and Finishing Up:

Try loggging into your server as root. If you did everything correctly, you should now be prompted to enter your KEY password (not root password). Enter your key password and you should now be in as root.
If it asks for the root password instead of the key password, you've done something wrong. Log in with the root password and review all the steps.
If it worked, we can now re-edit the sshd_config file to set "AllowRootPassword" to "without-password", save changes and restart SSHD.
If you had created an SU user earlier, remove it:
Code:
```
userdel username
```
where "username" is the username of the user in the wheel group.

Benefits to using SSH keys:

Once you create a key pair, you can safely use the SAME SSH key on every server you have root access to. One password will get you root access on all your servers.
If your sysadmin buddy changes the root password for some reason, you can STILL LOG IN via SSH and use passwd to change the root pass to something secure that you can remember.
Very secure: A hacker would need your private key and password on their computer to log in as root. Anyone trying to use a password will fail just as if you had turned off root access, but without the messy SU to root.

If you haven't already installed APF/AD/BFD on your server, or rootkithunter, or updated logwatch, you should do so now.

Also, don't give SSH to ANYONE unless you absolutely HAVE to, and if you MUST do so, make sure it is a jailshell.

[EDIT:] I knew I forgot something else I wanted to add... A discussion of how you can be notified via e-mail whenever someone successfully logs into your server as root. This can be handy since most of you probably only have yourselves or perhaps 1-2 others typically logging into your server(s). This can give you a heads-up if you see a root login you don't expect to check your server.

To do that, log in as root to your server using your new SSH key and then do the following from the /root directory (which should be where you start):

Code:

pico -w .bashrc

Scroll to the end of the file then add the following:

Code:

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you[at]yourdomain.com

Replace YourServerName with the hostname of your server
Replace you[at]yourdomain.com with your actual email address

Press CTRL-X, Y, ENTER/RETURN to save the changes.

Now go ahead and log out and back in. Shortly thereafter you should get a mail with the hostname, date, time and who it was that tried to log in (typically this will be the reverse DNS record of an IP address or the IP address itself).

This isn't meant to be a complete list of every security precaution you could/should take, but it is an important first step.

Regards,

Aric

November 8th, 2004, 1:28 PM	#2 (permalink)
Aric Just Some Guy.. Comfy Contributor Joined in Oct 2003 127 posts Gave thanks: 0 Thanked 5 times	SSH and Security, Part 2 Generating a Key Pair Under MacOS X/Linux Using the Command Line/Shell: The directions for Mac OS X and most flavors of Linux are the same. Under Mac OS X, we first need to fire up the Terminal. If you've never done so before, you will find it here: ~/Applications/Utilities/Terminal where "~" is your user folder. At this point, the directions are the same for Mac OS X and most versions of Linux. Type: Code: ssh-keygen -t dsa -b 4096 You will be prompted where to save the resulting key file. Accept the default location. Enter your password for the private key. DO NOT LEAVE THE PASSWORD BLANK!!!!!! The key will be created and saved into the location specified. Is a RSA or DSA key "better"? Either kind works, but DSA is a slightly newer kind of key that is slightly more secure overall (though it doesn't make a big difference in a key only used for SSH). Now we need to copy the public key to the clipboard so we can paste it into the correct location on the server. Naturally, you blessed Mac/Linux folks could just scp the pub key to your server, but for the sake of syncing up with the directions for the Windows users, I won't discuss that here. Mac/Linux: Use your favorite Shell text editor (pico, vi, emacs, etc.) to open the public key file and copy it to your clipboard. The file in question is probably stored in a location like: /Users/username/.ssh/id_dsa.pub Mac: If you don't want to use the command line, you can use standard text editors, like BBEDIT, Text Edit, TexEdit, etc. To do that, go to the Finder and select OPEN FOLDER from the GO menu item (Command-Shift-G) Type the path to the file in the box that opens: /Users/username/.ssh/ Open the id_dsa.pub key file with a text editor of your choice and copy the contents to the clipboard. Don't change this file and if you are asked if you want to save the file DON'T. We now rejoin our poor easilly hacked Windows cousins... Installing the Public Key on Your Server: NOTE: If you use PGP to create the key, you will need to paste each line together and remove the ---block begins/ends here--- lines. In addition, you have to add ssh-dsa (or ssh-rsa) to the beginning of the line so it looks like the other keys on your server. Back in the terminal session for your server... Type: Code: pico -w ~/.ssh/authorized_keys If for some reason you get an error telling you .ssh doesn't exist, then create it: Code: cd ~ mkdir .ssh cd .ssh pico -w authorized_keys More than likely, ~/.ssh/authorized_keys will already exist and the file will be displayed in pico. If there are lines already in this file DO NOT REMOVE THEM, just scroll to the end (CTRL-V a few times should do the trick) and press ENTER after the last key so you are on a blank line. Now paste in your public key. This key MUST be all on one single line. Close and save this file as you would normally. To be on the safe side, let's give ourselves some wiggle room in case there is a problem with the key. Edit the sshd_config file again. Change the "AllowRootLogin" line to "yes" again and save the changes. Restart SSHD: Code: service sshd restart For good measure under Windows, quit Putty and restart it. Testing Your New SSH Key and Finishing Up: Try loggging into your server as root. If you did everything correctly, you should now be prompted to enter your KEY password (not root password). Enter your key password and you should now be in as root. If it asks for the root password instead of the key password, you've done something wrong. Log in with the root password and review all the steps. If it worked, we can now re-edit the sshd_config file to set "AllowRootPassword" to "without-password", save changes and restart SSHD. If you had created an SU user earlier, remove it: Code: userdel username where "username" is the username of the user in the wheel group. Benefits to using SSH keys: Once you create a key pair, you can safely use the SAME SSH key on every server you have root access to. One password will get you root access on all your servers. If your sysadmin buddy changes the root password for some reason, you can STILL LOG IN via SSH and use passwd to change the root pass to something secure that you can remember. Very secure: A hacker would need your private key and password on their computer to log in as root. Anyone trying to use a password will fail just as if you had turned off root access, but without the messy SU to root. If you haven't already installed APF/AD/BFD on your server, or rootkithunter, or updated logwatch, you should do so now. Also, don't give SSH to ANYONE unless you absolutely HAVE to, and if you MUST do so, make sure it is a jailshell. [EDIT:] I knew I forgot something else I wanted to add... A discussion of how you can be notified via e-mail whenever someone successfully logs into your server as root. This can be handy since most of you probably only have yourselves or perhaps 1-2 others typically logging into your server(s). This can give you a heads-up if you see a root login you don't expect to check your server. To do that, log in as root to your server using your new SSH key and then do the following from the /root directory (which should be where you start): Code: pico -w .bashrc Scroll to the end of the file then add the following: Code: echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` \| mail -s "Alert: Root Access from `who \| cut -d"(" -f2 \| cut -d")" -f1`" you[at]yourdomain.com Replace YourServerName with the hostname of your server Replace you[at]yourdomain.com with your actual email address Press CTRL-X, Y, ENTER/RETURN to save the changes. Now go ahead and log out and back in. Shortly thereafter you should get a mail with the hostname, date, time and who it was that tried to log in (typically this will be the reverse DNS record of an IP address or the IP address itself). This isn't meant to be a complete list of every security precaution you could/should take, but it is an important first step. Regards, Aric