FreeBSD OpenSSH key authentication ssh-keygen ssh-agent ssh-add

In the previous article, we discussed a lot about the SSH protocol with its OpenSSH application. The article discusses how to configure and use an SSH server and SSH client on the FreeBSD operating system. In this article, I want to talk about SSH authentication based on key pairs, and at the same time consider another program from the software package, the SSH protocol, on the FreeBSD system.

SSH (or secure shell) is an SSH network protocol that protects communications with servers by encrypting data. SSH is the safest and most commonly used way to interact between server computers and client computers. There are several authentication methods, in this article we only explain passwordless SSH authentication.


1. How do SSH keys work?

Each SSH Server can authenticate clients in a variety of ways, the most common of which are password-based authentication and SSH key-based authentication. The main disadvantage of passwords is that they are usually created manually, so they are very simple and short, and easy to hack or take. SSH keys offer a safer and more secure alternative to passwords. SSH key pairs can be used for authentication, but instead of passwords, each SSH key pair consists of a private key and a public key.

The private key functions like a regular password and is stored on the client's computer. If a third party knows your private key, they will be able to access the server and steal all your data. Usually the length of the private key is at least 2048 bits. You can also protect it with a passphrase (this is the password that is requested when you try to use the private key). Passphrases can protect private keys in case of unauthorized access.

Meanwhile, the corresponding public key can be freely disclosed. The public key is used to encrypt messages that can only be decrypted using the private key. To set up authentication based on SSH keys, you need to add the public key to the user account on the remote server and it is usually stored in the ".ssh/authorized_keys" directory.

When a client tries to contact a remote server, the SSH server will verify the client's private key, it must match one of the server's public keys. If the two keys match, the client successfully authenticates and can start a session.

In general, the principles of public key authentication in the SSH protocol are as follows:
  1. Using the ssh-keygen program, to create a public key and private key pair.
  2. The resulting kucni will be kept secret and never shown to anyone.
  3. The public key is copied to the remote SSH server and placed in a special file. On FreeBSD by default it is located at ~/.ssh/authorized_keys.
  4. The client sends its public key to the SSH server and requests authentication using this key.
  5. The server will check the ~/.ssh/authorized_keys directory. If the key is found, the SSH server sends a message to the client encrypted with the found user's public key.
  6. The client must decrypt the message using its private key. If the private key is password protected the ssh program will ask the user to enter the password, which will first decrypt the key itself.
  7. If the message is decrypted, the correct public and private keys are deemed to match and the user is granted access to the system.

2. Creating SSH keys using the ssh-keygen

On the client computer where you will connect to the OpenSSH remote server, you need to create a key pair (public and private). The private key is stored on the client (don't give it to anyone), and the public key should be copied to the ~/.ssh/authorized_keys directory on the SSH server. To generate these two keys, use the ssh-keygen utility. By default, it creates a 2048-bit RSA key.

We will create a pair of RSA keys, this is the recommended format. By default, the ssh-keygen utility will generate 2 files:
~/. ssh/id_rsa (private key), and
~/. ssh/id_rsa. pub (public key)
root@ns6:~ # ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): router1
Enter same passphrase again: router1
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:QlRa74+s1YELKSyHGQUwUPkdyZFM/3cz7UL9DK2+gJU root@ns6
The key's randomart image is:
+---[RSA 4096]----+
|.o+o.===o        |
|  .. o*+ .       |
|   ...o.. .      |
|    .*.  + . . + |
|    + = S + E * +|
|     o o o O + B.|
|          * + o +|
|         o   o . |
|        .     o. |
+----[SHA256]-----+
In the example script above, we created the password "router1" for the two SSH keys.


3. Configuring Public Key Authentication On SSH Server

To activate these two keys, the SSH server must be configured. SSH Server (in this example, it is a remote computer with FreeBSD 13.2 and the OpenSSH service configured). Now copy the public key to the remote SSH server.

Example command
cat id_rsa.pub | ssh username@IPaddress "cat >> ~/.ssh/authorized_keys"
root@ns6:~ # cd .ssh
root@ns6:~/.ssh # ls
id_rsa          id_rsa.pub
root@ns6:~/.ssh # cat id_rsa.pub | ssh root@192.168.5.2 "cat >> ~/.ssh/authorized_keys"
The authenticity of host '192.168.5.2 (192.168.5.2)' can't be established.
ED25519 key fingerprint is SHA256:WpdCFPbgIgcvkDmCr8Cw1XWvU9Yej73honnnS34YsP8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.2' (ED25519) to the list of known hosts.
root@192.168.5.2's password: router
root@ns6:~/.ssh # ls
authorized_keys id_rsa          id_rsa.pub      known_hosts     known_hosts.old
root@ns6:~/.ssh #
In the example script above we use the username "root" with the password "router", because the router is the password for logging in to the root user. Now you have added the public key for the remote user and the server can accept the private key for authentication.


4. Using the ssh-agent and ssh-add

As mentioned in the description above, each private key is always protected by a password. For users, this causes inconvenience, users have to enter a password every time they connect to a remote SSH server. With a public key the user does not have to enter a password to connect to the SSH server. In this case OpenSSH has provided ssh-agent and ssh-add.

Once the key is generated, you can add the private key to the SSH Agent service, and you can easily manage the private key for authentication. The ssh-agent and ssh-add utilities allow you to store SSH keys in memory so you don't have to type a passphrase every time you use the key. The ssh-agent utility provides an authentication process with secret keys loaded into it; to do this, the ssh-agent utility must start an external process.

To use ssh-agent in a shell, provide a shell as the command's parameter. So, run the ssh-agent.
root@ns6:~/.ssh # ssh-agent csh
root@ns6:~/.ssh # ssh-add
Enter passphrase for /root/.ssh/id_rsa: router1
Identity added: /root/.ssh/id_rsa (root@ns6)
root@ns6:~/.ssh #
After everything is configured, edit the "/etc/ssh/sshd_config" file, and change the parameters below.

PubkeyAuthentication yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

Restart the SSH daemon on FreeBSD.
root@ns6:~/.ssh # service sshd restart
You have successfully set up SSH authentication on FreeBSD by using a public RSA key. Now you can use authentication methods to securely access to remote SSH servers, automatically leverage port forwarding in SSH tunnels, run scripts, and other automation tasks.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post