Configuring authorized keys file for public key based access

From Notes_Wiki
Revision as of 05:16, 21 March 2013 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb> =Configuring authorized keys file for public key based access= It is possible to establish trusted S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>

Configuring authorized keys file for public key based access

It is possible to establish trusted SSH connection between two computers based on public/private key pair and authorized_keys configuration file. In case the connection would be established manually and not using some script use of passphrase to protect keys as explained at Passphrase for ssh-keys is recommended.


Basic authorized_keys configuration

To create ssh public/private key pair use: 

ssh-keygen

command which would generate appropriate keys and place them in ~/.ssh folder automatically.

Now to allow password-less access from current machine to a remote machine copy ~/.ssh/id_rsa.pub file to remote machine at ~/.ssh/authorized_keys location. The authorized_keys file can have multiple public keys in separate lines. The permissions on authorized_keys file should be 600.


Restricting use of keys from specific hosts

One can restrict use of given public key from specific host by preceding the public key in authorized_keys file with 'from="<host>"' option where <host> definition can use wildcards '*' and '?'. Example specifications are: 

from="10.4.15.6" <public-key> <comment>
from="10.4.15.*" <public-key> <comment>


Restricting use of commands by authorized_keys

To restrict use of authorized_keys so that they can only be used only for specific command use: 

command="<forced-command>"

Note that in this case the forced-command will be executed even if the ssh-client requested for execution of some other command.


Combining multiple options

To specify more than one option such as both 'from' and 'command', the options can be specified one after other separated by comma(,) without leaving space anywhere in the entire option string. Example configuration that restricts use of particular key to 'ls' command from IP 10.4.15.6 is: 

from="10.4.15.6",command="ls" <public-key> <public-key-comment>


Restricting ssh facilities

Various ssh-facilities can be restricted by use of other options such as:

no-port-forwarding
To disable port forwarding
no-X11-forwarding
To disabler X11 forwarding
no-agent-forwarding
To disable agent forwarding so that one can use ssh-agent to forward connections to other trusted computers using agent. Refer to http://www.unixwiz.net/techtips/ssh-agent-forwarding.html to understand agent forwarding properly.
no-pty
To disable allocation of pty using given key


Information learned from http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html



<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configuring_authorized_keys_file_for_public_key_based_access&oldid=1147"