Generating and using SSH keys for authentication

Setting up SSH keys

SSH keys

SSH keys are great, but remember to keep your private key (~/.ssh/id_rsa by default) safe! And check out the “Top 20 OpenSSH Server Best Security Practices” article at cyberciti.biz for some security tips. That said, all you need to do to use SSH key authentication is to generate a key pair (public and private) and copy the public key to the remote server.

To generate a new key:
ssh-keygen -t rsa

Here’s an example of that includes the output:
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@localhost

This will also create the /.ssh directory with the correct permissions (if it doesn’t already exist), along with the private key (id_rsa) and the public key (id_rsa.pub). You can specify different names, which may be useful for creating multiple keys. You can also generate keys for specific users other than root. ‘su’ is the easiest way to do this, because the directories and permissions won’t need to be fixed later:

[root@localhost ~]# su user1
[user1@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Created directory '/home/user1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user1@localhost

The public key will then need to be copied to the remote server’s ~user/.ssh/authorized_keys file:
scp .ssh/id_rsa.pub remotehost:.ssh/authorized_keys

Some additional notes on using SSH keys

Verbose output: ssh -vv -l user host

Specify a key to use with the -i flag:
ssh -i /path/to/key -l user host

ssh-keygen flags

Change a passphrase on a key: -p

Specify number of bits: -b 2048

Comment a key: -c comment

Share

MidpSSH – SSH Client for Mobile Devices

MidpSSH is a mobile SSH client – think PuTTY for your cellphone. It’s features include SSH2 support, saved session profiles, macros for frequent commands, and more.

The list of supported devices is pretty impressive as well. It’s great on a Blackberry device, but also works on quite a few Nokia, Motorola, Samsung, Siemens, LG, and Sony-Ericsson phones (and many others, too!).

Share

Share

Installing Fail2Ban on CentOS 5

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules (how many attempts before banning, amount of time banned, etc.) can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones.
You may need an additional repo for this. If so, see my post on rpmforge for additional info.

To install and configure fail2ban:

Install: yum install fail2ban

Configure: Edit vi /etc/fail2ban/jail.conf and fail2ban.conf, with special attention to the following:
# Option: ignoreip
# Notes.: space separated list of IP's to be ignored by fail2ban.
# You can use CIDR mask in order to specify a range.
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default: 192.168.0.0/16
#
ignoreip = 192.168.0.1/16

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=youraddress@yourdomain.com, sender=fromaddress@your domain.com]
logpath = /var/log/secure
maxretry = 3

Note that the logpath needs to be changed to the logfile that you want to use to block IP’s, on CentOS 5 this is /var/log/secure

The finishing touches:
chkconfig fail2ban on
service fail2ban start

Fail2Ban can be used for all kinds of other things too… Blocking spammers from a mail server, and all kinds of other things.

Also, keep in mind that you’ll have to have sendmail (or some other mail) enabled if you want to receive the Fail2Ban notifications! You can simply relay through your mail server by modifying /etc/mail/sendmail.cf. Just add your mail server FQDN to the DS line and restart sendmail.

Share

Cisco SSH Commands

Show if SSH is enabled:
hostname# show ip ssh

To view SSH connections:
hostname# show ssh

Required for SSH
Set the domain name:
hostname(config)# ip domain-name YourDomain

Generate a RSA Key Pair:
hostname(config)# crypto key generate rsa

Other SSH Options
Set the SSH Negotiation phase timeout interval (in seconds):
hostname(config)# ip ssh time-out 120

Set the max for retry attempts:
hostname(config)# ip ssh authetication-retries 3

Change the SSH port:
hostname(config)# ip ssh port 2222

Related Commands
Delete the RSA key pair:
hostname(config)# crypto key zeroize rsa

Disable Telnet, allowing SSH only:
hostname(config)# line vty 0 4
hostname(config)# transport input ssh

Thanks to itsyourip.com

Share

Share