Introduction
In this challenge, you will configure key-based authentication for SSH, which is a more secure alternative to password-based authentication. You will generate a public-private key pair, authorize the public key on the server, and configure the SSH service to allow connections using the key. This will enable you to log in to the SSH server without a password, enhancing security and convenience.
Generate a Public-Private Key Pair
The first step is to create a cryptographic key pair. This pair consists of a private key, which you must keep secret, and a public key, which you will place on the server to authorize access.
Tasks
- Generate a new RSA public-private key pair using the
ssh-keygencommand.
Requirements
- Switch to the
testuseraccount before generating the key pair. - Generate the key pair as the
testuseruser. - Use the default file location when prompted (
/home/testuser/.ssh/id_rsa). - Do not set a passphrase for the private key (press Enter when prompted for a passphrase).
Getting Started
First, switch to the testuser account:
su - testuser
## Password: testuser123
Example
After generating the key pair, you can list the files in the ~/.ssh directory to see your new keys.
$ ls -l ~/.ssh
total 8
-rw------- 1 testuser testuser 3401 Aug 19 03:49 id_rsa
-rw-r--r-- 1 testuser testuser 759 Aug 19 03:49 id_rsa.pub
The id_rsa file is your private key, and id_rsa.pub is your public key.
Authorize Public Key and Configure SSH Server
Now that you have a key pair, you must configure the server. This involves two main actions: adding your public key to the list of authorized keys and ensuring the SSH service is configured to accept key-based authentication.
Prerequisites
Make sure you are still logged in as the testuser account. If not, switch to it:
su - testuser
## Password: testuser123
Tasks
- Copy your public key to the
~/.ssh/authorized_keysfile. - Set the correct file permissions for
~/.ssh/authorized_keys. - Modify the SSH server configuration file (
/etc/ssh/sshd_config) to enable public key authentication. - Reload the SSH service to apply the configuration changes.
Requirements
- The file
~/.ssh/authorized_keysmust be created and contain the content of your public key (~/.ssh/id_rsa.pub). - The permissions for
~/.ssh/authorized_keysmust be600. - In
/etc/ssh/sshd_config,PubkeyAuthenticationmust be uncommented and set toyes. - The SSH service configuration must be reloaded using
sudo pkill -HUP sshd.
Hints
- You can use the
catcommand with output redirection (>>) to add the key to theauthorized_keysfile. - Use the
chmodcommand to set file permissions. - The
testuserhassudoprivileges to edit/etc/ssh/sshd_configand to reload thesshdservice. - Since
systemctlis not available in this container environment, usepkillto send aHUPsignal to thesshdprocess, which causes it to reload its configuration.
Example
After completing these steps, you should be able to log into localhost using your SSH key without being prompted for a password.
$ ssh testuser@localhost "echo Login successful"
Login successful
Summary
In this challenge, you learned how to enhance SSH security by configuring key-based authentication. You generated a public-private key pair, authorized the public key on the server by adding it to the authorized_keys file, and modified the SSH server configuration to enable this secure authentication method. By completing this challenge, you have gained a fundamental skill for securely managing remote systems.
