From Notes Wiki
Jump to: navigation, search
Home > CentOS > CentOS 6.x > OpenSSH > Configuring authorized keys file for public key based access

Configuring authorized keys file for public key based access

It is possible to establish trusted SSH connection between two computers based on public/private key pair and authorized_keys configuration file. In case the connection would be established manually and not using some script use of passphrase to protect keys as explained at Passphrase for ssh-keys is recommended.


Basic authorized_keys configuration

To create ssh public/private key pair use:

ssh-keygen

command which would generate appropriate keys and place them in ~/.ssh folder automatically.

Now to allow password-less access from current machine to a remote machine copy ~/.ssh/id_rsa.pub file to remote machine at ~/.ssh/authorized_keys location. The authorized_keys file can have multiple public keys in separate lines. The permissions on authorized_keys file should be 600.


Restricting use of keys from specific hosts

One can restrict use of given public key from specific host by preceding the public key in authorized_keys file with 'from="<host>"' option where <host> definition can use wildcards '*' and '?'. Example specifications are:

from="10.4.15.6" <public-key> <comment>
from="10.4.15.*" <public-key> <comment>


Restricting use of commands by authorized_keys

To restrict use of authorized_keys so that they can only be used only for specific command use:

command="<forced-command>"

Note that in this case the forced-command will be executed even if the ssh-client requested for execution of some other command.


Combining multiple options

To specify more than one option such as both 'from' and 'command', the options can be specified one after other separated by comma(,) without leaving space anywhere in the entire option string. Example configuration that restricts use of particular key to 'ls' command from IP 10.4.15.6 is:

from="10.4.15.6",command="ls" <public-key> <public-key-comment>


Restricting ssh facilities

Various ssh-facilities can be restricted by use of other options such as:

no-port-forwarding 
To disable port forwarding
no-X11-forwarding 
To disabler X11 forwarding
no-agent-forwarding 
To disable agent forwarding so that one can use ssh-agent to forward connections to other trusted computers using agent. Refer to http://www.unixwiz.net/techtips/ssh-agent-forwarding.html to understand agent forwarding properly.
no-pty 
To disable allocation of pty using given key


Troubleshooting public-key or authorized key based login failures

If public-key based login is not working verify following:

  1. The authorized_keys file on remote server has exact same public key as ~/.ssh/id_rsa.pub or other public key on local machine.
  2. The permissions on .ssh folder is 700 and authorized_keys file is 600
  3. SELinux is disabled. You can verify if SELinux is not allowing sshd to read ~/.ssh or ~/.ssh/authorized_keys using /var/log/messages
  4. The key is of right-type openSSH vs SSH2 (Refer http://burnz.wordpress.com/2007/12/14/ssh-convert-openssh-to-ssh2-and-vise-versa/ )
  5. The public-key was generated without using passphrase. May be prompt is for key password and not for remote user ssh password.
  6. On both machines home folder ownership is correct 'chown $USER:$USER ~'
  7. Others and groups do not have read/write permission on home folder on both machines 'chown go-rw ~'
  8. Target machines sshd configurtion should have PubKeyAuthentication yes
  9. Verify that default path of AuthorizedKeysFile in not changed on remote server sshd configuration

If still problem persists ssh from client using '-vv' flag and on destination use 'tail -f /var/log/secure' to see what is going on.

Information learned from http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html

Home > CentOS > CentOS 6.x > OpenSSH > Configuring authorized keys file for public key based access